I was wondering the following:Whenevera user logs on by using a smart card on a workstation, I guess he receives a kerberos ticket which might be used to access several network resources. Whever a user logs on by using a normal username/password, I guess he receives a kerberos ticket and a NTLM set which might be used to access several network resources.What happens if a user logs on by using a smart card, and access a NTLM only application, like sharepoint (when configured like that). Will he receive a popup asking for credentials? or is there some mechanism which solves this situation?

> Will he receive a popup asking for credentials?yes. Also you may use stored names and passwords to network resources: Start -> Run... -> control userpasswords2[http://www.sysadmins.lv] As always enjoy the automation of tools within the Windows-based, .NET aware, WPF accessible, multi-processes on the same IP / Port usage, admin's automation tool, powershell.exe! Flowering Weeds

this has somekind weird result. yes, in principle, when you are logging with a smart card, NTLM is not possible, because you do not have the domain password.but consider a user account has already logged on to a client computer and then accessed some network resource (regardless the auth. method used).after that, when he logges on for the first time with a smart card (on the same client computer), he is still able to use NTLM creds, that were previously cached for network resources. Indefinitelly. So NTLM will work when previously used creds are cached even when logged on with a smart card.consider, what happens later, when password on his domain account is reset. If he is using only his smart card for logon (never password again), when he tries to access NTLM resource (such as IP address), his computer will still try to use the previously cached NTLM creds, but now, they are invalid due to the changed domain password. At this point, this NTLM access is NOT POSSIBLE any more, until he logges on again with the new passowrd to be cached.ondrej.

Hmm, both answers are very interessting,Especially about the cached credentials. However if they change at the domain level, this could cause lockout issues... If the client tries to access several different resources in a short time...Do any of you have any links to "official" documentation?Thnx in advance,Kind regards,Thomas

I haven't ever seen this documented. and yes, it would produce lockout. but first you are not assumed to change password on the domain. second, the lockout would happen only when NTLM is used - this is only case of IP addresses, A aliases, which is not so frequent.ondrej.

Hello In what situation would a user who has logged on with a smart card be prompted for credentials? Is it when there is nothing cached from previous logons? PKI

Regardless cached credentials or any other form of saved credentials the client always receives the NTLM hash of the user password when a smart card logon is performed. The following text in the article [MS-PKCA]: Public Key Cryptography for Initial Authentication (PKINIT) in Kerberos Protocol Specification http://download.microsoft.com/download/a/e/6/ae6e4142-aa58-45c6-8dcf-a657e5900cd3/[MS-PKCA].pdf describes this clearly: In order to support NTLM authentication [MS-NLMP] for applications connecting to network services that do not support Kerberos authentication, when PKCA is used, the KDC returns the user's NTLM one-way function (OWF) in the privilege attribute certificate (PAC) PAC_CREDENTIAL_INFO buffer ([MS-PAC] section 2.6.1). /Hasain