As im using smart card in my enterprise , my boss asked me : since i have a smart card , then no one can use my identity and impersonate my identity .. Well , i was thinking , when my boss log on to the machine , he will use his Public Key/Private Key to authenticate to the KDC and obtain a TGT . This TGT is protected by the local LSA. So if my boss , lock his machine , and his machine was attacked , and an attacker could pull the TGT , the attacker will start accessing resources and getting service tickets and renewing the TGT up to 7 days . So my question is : when will the TGT be cleared from the local computer ? when the user logged off? My next question : is the old TGT used to renew itself without the need of user smart card cryptography ? and ,Does the machine itself that the smart card user logged on to , has access to the unencrypted TGT? As i understand the TGT is what matters when authenticating to the network resources , and the smart card is only required to get the TGT initially. So even with smart card , the thing that matters is the TGT itself , who has access to it , and is it available as unencrypted form on the machine ? and will it be erased if the user logged off ? ammarhasayen