mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-13 05:47:23 +00:00
Merge pull request #9143 from paolomatarazzo/pm-20231121-freshness
[Smart Card] freshness review
This commit is contained in:
Stephanie Savell
GitHub
commit
88dd447511
@ -1,9 +1,10 @@
|
||||
---
|
||||
ms.date: 11/07/2023
|
||||
ms.date: 11/22/2023
|
||||
title: Smart Card and Remote Desktop Services
|
||||
description: This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.
|
||||
ms.topic: conceptual
|
||||
ms.topic: concept-article
|
||||
---
|
||||
|
||||
# Smart Card and Remote Desktop Services
|
||||
|
||||
This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.
|
||||
@ -25,7 +26,7 @@ In a Remote Desktop scenario, a user is using a remote server for running servic
|
||||
|
||||
Notes about the redirection model:
|
||||
|
||||
1. This scenario is a remote sign-in session on a computer with Remote Desktop Services. In the remote session (labeled as "Client session"), the user runs `net use /smartcard`
|
||||
1. This scenario is a remote sign-in session on a computer with Remote Desktop Services. In the remote session (labeled as *Client session*), the user runs `net use /smartcard`
|
||||
1. Arrows represent the flow of the PIN after the user types the PIN at the command prompt until it reaches the user's smart card in a smart card reader that is connected to the Remote Desktop Connection (RDC) client computer
|
||||
1. The authentication is performed by the LSA in session 0
|
||||
1. The CryptoAPI processing is performed in the LSA (`lsass.exe`). This is possible because RDP redirector (`rdpdr.sys`) allows per-session, rather than per-process, context
|
||||
@ -44,7 +45,7 @@ When smart card-enabled single sign-in (SSO) is used for Remote Desktop Services
|
||||
|
||||
Remote Desktop Services enables users to sign in with a smart card by entering a PIN on the RDC client computer and sending it to the RD Session Host server in a manner similar to authentication that is based on user name and password.
|
||||
|
||||
In addition, Group Policy settings that are specific to Remote Desktop Services need to be enabled for smart card-based sign-in.
|
||||
In addition, group policy settings that are specific to Remote Desktop Services need to be enabled for smart card-based sign-in.
|
||||
|
||||
To enable smart card sign-in to a Remote Desktop Session Host (RD Session Host) server, the Key Distribution Center (KDC) certificate must be present on the RDC client computer. If the computer isn't in the same domain or workgroup, the following command can be used to deploy the certificate:
|
||||
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: Smart Card Architecture
|
||||
description: This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system.
|
||||
ms.topic: reference-architecture
|
||||
ms.date: 11/06/2023
|
||||
ms.date: 11/22/2023
|
||||
---
|
||||
|
||||
# Smart Card Architecture
|
||||
|
||||
@ -1,15 +1,13 @@
|
||||
---
|
||||
title: Certificate Propagation Service
|
||||
description: This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in smart card implementation.
|
||||
title: Certificate propagation service
|
||||
description: Learn about the certificate propagation service (CertPropSvc), which is used in smart card implementation.
|
||||
ms.topic: concept-article
|
||||
ms.date: 08/24/2021
|
||||
ms.date: 11/22/2023
|
||||
---
|
||||
|
||||
# Certificate Propagation Service
|
||||
# Certificate propagation service
|
||||
|
||||
This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in smart card implementation.
|
||||
|
||||
The certificate propagation service activates when a signed-in user inserts a smart card in a reader that is attached to the computer. This action causes the certificate to be read from the smart card. The certificates are then added to the user's Personal store. Certificate propagation service actions are controlled by using Group Policy. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
|
||||
The certificate propagation service (CertPropSvc) is a Windows service that activates when a user inserts a smart card in a reader that is attached to the device. The action causes the certificates to be read from the smart card. The certificates are then added to the user's Personal store. Certificate propagation service actions are controlled by using Group Policy. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
|
||||
|
||||
> [!NOTE]
|
||||
> The certificate propagation service must be running for smart card Plug and Play to work.
|
||||
@ -47,9 +45,9 @@ Root certificate propagation is responsible for the following smart card deploym
|
||||
- Joining the domain
|
||||
- Accessing a network remotely
|
||||
|
||||
In both cases, the computer isn't joined to a domain, and therefore, trust isn't being managed by Group Policy. However, the objective is to authenticate to a remote server, such as the domain controller. Root certificate propagation provides the ability to use the smart card to include the missing trust chain.
|
||||
In both cases, the computer isn't joined to a domain, and therefore, trust isn't being managed by group policy. However, the objective is to authenticate to a remote server, such as the domain controller. Root certificate propagation provides the ability to use the smart card to include the missing trust chain.
|
||||
|
||||
When the smart card is inserted, the certificate propagation service propagates any root certificates on the card to the trusted smart card root computer certificate stores. This process establishes a trust relationship with the enterprise resources. You might also use a subsequent cleanup action when the user's smart card is removed from the reader, or when the user signs out. This is configurable with Group Policy. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
|
||||
When the smart card is inserted, the certificate propagation service propagates any root certificates on the card to the trusted smart card root computer certificate stores. This process establishes a trust relationship with the enterprise resources. You might also use a subsequent cleanup action when the user's smart card is removed from the reader, or when the user signs out. This is configurable with group policy. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
|
||||
|
||||
For more information about root certificate requirements, see [Smart card root certificate requirements for use with domain sign-in](smart-card-certificate-requirements-and-enumeration.md#smart-card-root-certificate-requirements-for-use-with-domain-sign-in).
|
||||
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: Certificate Requirements and Enumeration
|
||||
description: This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in.
|
||||
ms.topic: concept-article
|
||||
ms.date: 11/06/2023
|
||||
ms.date: 11/22/2023
|
||||
---
|
||||
|
||||
# Certificate Requirements and Enumeration
|
||||
@ -23,23 +23,23 @@ When a smart card is inserted, the following steps are performed.
|
||||
1. The certificate is then queried from the key context by using KP_CERTIFICATE. The certificate is added to an in-memory certificate store.
|
||||
1. For each certificate in the certificate store from Step 5 or Step 7, the following checks are performed:
|
||||
|
||||
1. The certificate must be valid, based on the computer system clock (not expired or valid with a future date).
|
||||
1. The certificate must not be in the AT_SIGNATURE part of a container.
|
||||
1. The certificate must have a valid user principal name (UPN).
|
||||
1. The certificate must have the digital signature key usage.
|
||||
1. The certificate must have the smart card logon EKU.
|
||||
1. The certificate must be valid, based on the computer system clock (not expired or valid with a future date)
|
||||
1. The certificate must not be in the AT_SIGNATURE part of a container
|
||||
1. The certificate must have a valid user principal name (UPN)
|
||||
1. The certificate must have the digital signature key usage
|
||||
1. The certificate must have the smart card logon EKU
|
||||
|
||||
Any certificate that meets these requirements is displayed to the user with the certificate's UPN (or e-mail address or subject, depending on the presence of the certificate extensions).
|
||||
Any certificate that meets these requirements is displayed to the user with the certificate's UPN (or e-mail address or subject, depending on the presence of the certificate extensions)
|
||||
|
||||
1. The process then chooses a certificate, and the PIN is entered.
|
||||
1. LogonUI.exe packages the information and sends it to Lsass.exe to process the sign-in attempt.
|
||||
1. If successful, LogonUI.exe closes. This causes the context acquired in Step 3 to be released.
|
||||
1. The process then chooses a certificate, and the PIN is entered
|
||||
1. LogonUI.exe packages the information and sends it to Lsass.exe to process the sign-in attempt
|
||||
1. If successful, `LogonUI.exe` closes. This causes the context acquired in Step 3 to be released
|
||||
|
||||
## Smart card sign-in flow in Windows
|
||||
|
||||
Most issues during authentication occur because of session behavior changes. When changes occur, the Local Security Authority (LSA) doesn't reacquire the session context; it relies instead on the Cryptographic Service Provider to handle the session change.
|
||||
|
||||
Client certificates that don't contain a UPN in the `subjectAltName`` (SAN) field of the certificate can be enabled for sign-in, which supports a wider variety of certificates and supports multiple sign-in certificates on the same card.
|
||||
Client certificates that don't contain a UPN in the `subjectAltName` (SAN) field of the certificate can be enabled for sign-in, which supports a wider variety of certificates and supports multiple sign-in certificates on the same card.
|
||||
|
||||
Support for multiple certificates on the same card is enabled by default. New certificate types must be enabled through Group Policy.
|
||||
|
||||
@ -53,22 +53,22 @@ The following diagram illustrates how smart card sign-in works in the supported
|
||||
|
||||
Following are the steps that are performed during a smart card sign-in:
|
||||
|
||||
1. Winlogon requests the sign-in UI credential information.
|
||||
1. Winlogon requests the sign-in UI credential information
|
||||
1. Asynchronously, smart card resource manager starts, and the smart card credential provider does the following:
|
||||
1. Gets credential information (a list of known credentials, or if no credentials exist, the smart card reader information that Windows detected).
|
||||
1. Gets a list of smart card readers (by using the WinSCard API) and the list of smart cards inserted in each of them.
|
||||
1. Enumerates each card to verify that a sign-in certificate that is controlled by Group Policy is present. If the certificate is present, the smart card credential provider copies it into a temporary, secure cache on the computer or terminal.
|
||||
1. Gets credential information (a list of known credentials, or if no credentials exist, the smart card reader information that Windows detected)
|
||||
1. Gets a list of smart card readers (by using the WinSCard API) and the list of smart cards inserted in each of them
|
||||
1. Enumerates each card to verify that a sign-in certificate that is controlled by Group Policy is present. If the certificate is present, the smart card credential provider copies it into a temporary, secure cache on the computer or terminal
|
||||
|
||||
> [!NOTE]
|
||||
> Smartcard cache entries are created for certificates with a subject name or with a subject key identifier. If the certificate has a subject name, it is stored with an index that is based on the subject name and certificate issuer. If another certificate with the same subject name and certificate issuer is used, it will replace the existing cached entry. A change in this behavior, allows for the condition when the certificate does not have a subject name, the cache is created with an index that is based on the subject key identifier and certificate issuer. If another certificate has the same the subject key identifier and certificate issuer, the cache entry is replaced. When certificates have neither a subject name nor subject key identifier, a cached entry is not created.
|
||||
|
||||
1. Notifies the sign-in UI that it has new credentials.
|
||||
1. Notifies the sign-in UI that it has new credentials
|
||||
|
||||
1. The sign-in UI requests the new credentials from the smart card credential provider. As a response, the smart card credential provider provides each sign-in certificate to the sign-in UI, and corresponding sign-in tiles are displayed. The user selects a smart card-based sign-in certificate tile, and Windows displays a PIN dialog box.
|
||||
1. The user enters the PIN, and then presses ENTER. The smart card credential provider encrypts the PIN.
|
||||
1. The credential provider that resides in the LogonUI system collects the PIN. As part of packaging credentials in the smart card credential provider, the data is packaged in a KERB_CERTIFICATE_LOGON structure. The main contents of the KERB_CERTIFICATE_LOGON structure are the smart card PIN, CSP data (such as reader name and container name), user name, and domain name. User name is required if the sign-in domain isn't in the same forest because it enables a certificate to be mapped to multiple user accounts.
|
||||
1. The credential provider wraps the data (such as the encrypted PIN, container name, reader name, and card key specification) and sends it back to LogonUI.
|
||||
1. Winlogon presents the data from LogonUI to the LSA with the user information in LSALogonUser.
|
||||
1. The sign-in UI requests the new credentials from the smart card credential provider. As a response, the smart card credential provider provides each sign-in certificate to the sign-in UI, and corresponding sign-in tiles are displayed. The user selects a smart card-based sign-in certificate tile, and Windows displays a PIN dialog box
|
||||
1. The user enters the PIN, and then presses ENTER. The smart card credential provider encrypts the PIN
|
||||
1. The credential provider that resides in the LogonUI system collects the PIN. As part of packaging credentials in the smart card credential provider, the data is packaged in a KERB_CERTIFICATE_LOGON structure. The main contents of the KERB_CERTIFICATE_LOGON structure are the smart card PIN, CSP data (such as reader name and container name), user name, and domain name. User name is required if the sign-in domain isn't in the same forest because it enables a certificate to be mapped to multiple user accounts
|
||||
1. The credential provider wraps the data (such as the encrypted PIN, container name, reader name, and card key specification) and sends it back to LogonUI
|
||||
1. Winlogon presents the data from LogonUI to the LSA with the user information in LSALogonUser
|
||||
1. LSA calls the Kerberos authentication package (Kerberos SSP) to create a Kerberos authentication service request (KRB_AS_REQ), which containing a preauthenticator (as specified in RFC 4556: [Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)](http://www.ietf.org/rfc/rfc4556.txt)).
|
||||
|
||||
If the authentication is performed by using a certificate that uses a digital signature, the preauthentication data consists of the user's public certificate and the certificate that is digitally signed with the corresponding private key.\
|
||||
@ -185,11 +185,11 @@ A single user certificate can be mapped to multiple accounts. For example, a use
|
||||
Based on the information that is available in the certificate, the sign-in conditions are:
|
||||
|
||||
1. If no UPN is present in the certificate:
|
||||
1. Sign-in can occur in the local forest or in another forest if a single user with one certificate needs to sign in to different accounts
|
||||
1. A hint must be supplied if mapping isn't unique (for example, if multiple users are mapped to the same certificate)
|
||||
1. Sign-in can occur in the local forest or in another forest if a single user with one certificate needs to sign in to different accounts
|
||||
1. A hint must be supplied if mapping isn't unique (for example, if multiple users are mapped to the same certificate)
|
||||
1. If a UPN is present in the certificate:
|
||||
1. The certificate can't be mapped to multiple users in the same forest
|
||||
1. The certificate can be mapped to multiple users in different forests. For a user to sign in to other forests, an X509 hint must be supplied to the user
|
||||
1. The certificate can't be mapped to multiple users in the same forest
|
||||
1. The certificate can be mapped to multiple users in different forests. For a user to sign in to other forests, an X509 hint must be supplied to the user
|
||||
|
||||
## Smart card sign-in for multiple users into a single account
|
||||
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: Smart Card Troubleshooting
|
||||
description: Describes the tools and services that smart card developers can use to help identify certificate issues with the smart card deployment.
|
||||
ms.topic: troubleshooting
|
||||
ms.date: 11/06/2023
|
||||
ms.date: 11/22/2023
|
||||
---
|
||||
|
||||
# Smart Card Troubleshooting
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: Smart card events
|
||||
description: Learn about smart card deployment and development events.
|
||||
ms.topic: troubleshooting
|
||||
ms.date: 06/02/2023
|
||||
ms.date: 11/22/2023
|
||||
---
|
||||
|
||||
# Smart card events
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: Smart Card Group Policy and Registry Settings
|
||||
description: Discover the Group Policy, registry key, local security policy, and credential delegation policy settings that are available for configuring smart cards.
|
||||
ms.topic: reference
|
||||
ms.date: 11/06/2023
|
||||
ms.date: 11/22/2023
|
||||
---
|
||||
|
||||
# Smart Card Group Policy and Registry Settings
|
||||
@ -262,7 +262,7 @@ When this setting isn't turned on, Credential Manager can return plaintext PINs.
|
||||
You can use this policy setting to control the way the subject name appears during sign-in.
|
||||
|
||||
> [!NOTE]
|
||||
> To help users distinguish one certificate from another, the user principal name (UPN) and the common name are displayed by default. For example, when this setting is enabled, if the certificate subject is CN=User1, OU=Users, DN=example, DN=com and the UPN is user1@example.com, "User1" is displayed with "user1@example.com." If the UPN is not present, the entire subject name is displayed. This setting controls the appearance of that subject name, and it might need to be adjusted for your organization.
|
||||
> To help users distinguish one certificate from another, the user principal name (UPN) and the common name are displayed by default. For example, when this setting is enabled, if the certificate subject is *CN=User1, OU=Users, DN=example, DN=com* and the UPN is *user1@example.com*, *User1* is displayed with *user1@example.com*. If the UPN is not present, the entire subject name is displayed. This setting controls the appearance of that subject name, and it might need to be adjusted for your organization.
|
||||
|
||||
When this policy setting is turned on, the subject name during sign-in appears reversed from the way that it's stored in the certificate.
|
||||
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: How Smart Card Sign-in Works in Windows
|
||||
description: This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system.
|
||||
ms.topic: overview
|
||||
ms.date: 1/06/2023
|
||||
ms.date: 11/22/2023
|
||||
---
|
||||
|
||||
# How Smart Card Sign-in Works in Windows
|
||||
|
||||
@ -2,23 +2,23 @@
|
||||
title: Smart Card Removal Policy Service
|
||||
description: This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation.
|
||||
ms.topic: concept-article
|
||||
ms.date: 09/24/2021
|
||||
ms.date: 11/22/2023
|
||||
---
|
||||
|
||||
# Smart Card Removal Policy Service
|
||||
|
||||
This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation.
|
||||
This article describes the role of the removal policy service (`ScPolicySvc`) in smart card implementations.
|
||||
|
||||
The smart card removal policy service is applicable when a user has signed in with a smart card and then removes that smart card from the reader. The action that is performed when the smart card is removed is controlled by Group Policy settings. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
|
||||
The smart card removal policy service is applicable when a user signs in with a smart card and then removes that smart card from the reader. The action that is performed when the smart card is removed is controlled by group policy settings. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
|
||||
|
||||
|
||||
|
||||
|
||||
The numbers in the previous figure represent the following actions:
|
||||
The numbers in the diagram represent the following actions:
|
||||
|
||||
1. Winlogon isn't directly involved in monitoring for smart card removal events. The sequence of steps that are involved when a smart card is removed begins with the smart card credential provider in the sign-in UI process. When a user successfully signs in with a smart card, the smart card credential provider captures the reader name. This information is then stored in the registry with the session identifier where the sign-in was initiated.
|
||||
1. The smart card resource manager service notifies the smart card removal policy service that a sign-in has occurred.
|
||||
1. ScPolicySvc retrieves the smart card information that the smart card credential provider stored in the registry. This call is redirected if the user is in a remote session. If the smart card is removed, ScPolicySvc is notified.
|
||||
1. ScPolicySvc calls Remote Desktop Services to take the appropriate action if the request is to sign out the user or to disconnect the user's session, which might result in data loss. If the setting is configured to lock the computer when the smart card is removed, ScPolicySvc sends a message to Winlogon to lock the computer.
|
||||
1. `Winlogon` isn't directly involved in monitoring for smart card removal events. The sequence of steps that are involved when a smart card is removed begins with the smart card credential provider in the sign-in UI process. When a user successfully signs in with a smart card, the smart card credential provider captures the reader name. This information is then stored in the registry with the session identifier where the sign-in was initiated
|
||||
1. The smart card resource manager service notifies the smart card removal policy service that a sign-in occurred
|
||||
1. `ScPolicySvc` retrieves the smart card information that the smart card credential provider stored in the registry. This call is redirected if the user is in a remote session. If the smart card is removed, `ScPolicySvc` is notified
|
||||
1. `ScPolicySvc` calls Remote Desktop Services to take the appropriate action if the request is to sign out the user or to disconnect the user's session, which might result in data loss. If the setting is configured to lock the computer when the smart card is removed, `ScPolicySvc` sends a message to Winlogon to lock the computer.
|
||||
|
||||
## See also
|
||||
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: Smart Cards for Windows Service
|
||||
description: This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service manages readers and application interactions.
|
||||
ms.topic: concept-article
|
||||
ms.date: 11/06/2023
|
||||
ms.date: 11/22/2023
|
||||
---
|
||||
|
||||
# Smart Cards for Windows Service
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: Smart Card Tools and Settings
|
||||
description: This topic for the IT professional and smart card developer links to information about smart card debugging, settings, and events.
|
||||
ms.topic: conceptual
|
||||
ms.date: 11/06/2023
|
||||
ms.date: 11/22/2023
|
||||
---
|
||||
|
||||
# Smart Card Tools and Settings
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: Smart Card Technical Reference
|
||||
description: Learn about the Windows smart card infrastructure for physical smart cards, and how smart card-related components work in Windows.
|
||||
ms.topic: overview
|
||||
ms.date: 11/06/2023
|
||||
ms.date: 11/22/2023
|
||||
---
|
||||
|
||||
# Smart Card Technical Reference
|
||||
|
||||
@ -4,7 +4,7 @@ description: This topic details how Microsoft supports the Common Criteria certi
|
||||
ms.author: sushmanemali
|
||||
author: s4sush
|
||||
ms.topic: reference
|
||||
ms.date: 11/4/2022
|
||||
ms.date: 11/22/2023
|
||||
ms.reviewer: paoloma
|
||||
ms.collection:
|
||||
- tier3
|
||||
@ -147,7 +147,7 @@ Certified against the Protection Profile for Mobile Device Fundamentals.
|
||||
- [Validation Report](https://download.microsoft.com/download/f/2/f/f2f7176e-34f4-4ab0-993c-6606d207bb3c/st_vid10752-vr.pdf)
|
||||
- [Assurance Activity Report](https://download.microsoft.com/download/9/3/9/939b44a8-5755-4d4c-b020-d5e8b89690ab/Windows%2010%20and%20Windows%2010%20Mobile%201607%20MDF%20Assurance%20Activity%20Report.pdf)
|
||||
|
||||
### Windows 10, version 1607, Windows Server 2016
|
||||
### Windows 10, version 1607, Windows Server 2016 (VPN)
|
||||
|
||||
Certified against the Protection Profile for IPsec Virtual Private Network (VPN) Clients.
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user