I've recently set up a test lab to test Authentication Mechanism Assurance after reviewing a TechEd session given by TrueSec's Marcus Murray a couple of years ago. Everything seemed to be working OK: logon with smart card and PIN and the user is a member of the configured dynamic group based on the OID of the application policy added to the smart card's certificate template. Logon without the smart card and the user is not a member of the group. So far so good. However, if I logon with username and password whilst the smart card remains inserted, the user appears to be viewed as having logged on via smart card and is made a member of the dynamic group. Slightly more worrying is that if I log on with a username and password of a completely different user while the smart card remains inserted, the user is made a member of the dynamic group! Can anyone comment if this is expected behaviour as both scenarios seem wrong to me? My expectation is that AMA will be 'applied' only if I authenticate using the smart card, i.e. with smart card + PIN, not just having the smart card present in the reader. Secondly, simple posession of any smart card that contains a certificate with the correct application policy OID will make anyone a member of the configured group(s) provided they have the smart card in the reader when they log on, this just seems totally wrong. Steve G

Hi Steve, I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience. Regards, Bruce

I my self together with Marcus Murray have used AMA in production as well as demonstrated AMA many many times so far and never seen the case you are describing. We normally have the smart card inserted in the reader and demonstrate the password logon and the dynamic group not being there forth and back. I did a new test yesterday with your description but was never able to repeat your results. Understanding how kerberos works, the KDC must see the certificate in an authentication flow to include the dynamic group in the security token and just having the smart card inserted in the reader is not going to cause the desired certificate based kerberos authentication unless you actively use smart card logon. /Hasain

Hi, Hasain, I think I may have identified the source of the problem: VMware Workstation 8! I enrolled a new smart card for a new user and logged on using the smart card to my virtialised Windows 7 Enterprise client. As before, I saw my high security group in the security token when running 'whoami /groups'. I can also see the 'This Organisation Certificate' group, which is also only present during a smart card logon. When I log out and immediately log in as the same user, but not using the smart card, the high security group is still reported as being in the security token when running 'whoami /groups', but the 'This Organisation Certificate' group is not present in the token. When I log off and log on again as the same user, again without using the smart card, the high security group is gone from the security token as reported by 'whoami /groups'. I must admit, since I enrolled a new smart card for my test user, I have not been able to replicate the behaviour where a non-smart card user logs on with my test user's smart card in the reader and gets the high security group in its token. However, I managed to get hold of a second laptop for my lab, so I built it as a physical Windows 7 Enterprise client and loaded up the smart card software. I was unable to duplicate the scenario where the high security group persists when the smart card user logs off then logs on again using standard credentials, so I suspect some perculiarities with the USB support in VMware Workstation maybe to blame. When I repeat the test using my virtualised client, the high security group persists for the first logon using standard credentials that immediately follows a smart card logon for the same user. The scenario I had in mind for this technology uses physical devices, so I'm happy there are no security risks having now tried this out on a physical device. I might drop VMware support a note of this behaviour and see how they respond! Steve G