Hello,we have the following problem. When a user logs on with a smartcard an the computer has no connection to the corporate network (so no DC is reachable) and she/he connects afterwards to the corporate network (no matter if via VPN or direct), she/he is not possible to access network shares nor other NTLM based sevices. I know that it is somehow NTLM and Kerberos related.I sniffed what happens over the network when I try to connect to a server, and it seems that the client send an SMB Negotiate Protocol Request and the server answers with an SMB Negotiate Protocol Response. Thats it, the client does not react on the response.When I try to connect to the server when I was online while loging in, after the SMB Negotiate Protocol Response the client starts with the SMB Session Setup And Request, NTLMSSP_NEGOTIATEand so on. Finaly I am connected.How can I enable users to access shares when they were offline while logging in?Thanks for any help,Stephan

First of all, Kerberos <> NTLM.The easiest is to have the user lock their computer, and then log on again.This provides them with a new TGT for access to data.Brian

Thanks Brian, I know about this work around, and works by now. But due to new security rules we have to build a GPO to force smartcard logon. So lock the computer and unlock it with username/password will not be available any more.So I really need to find some solution on this.Stephan

0) this is not normal. what is the client operating system version? did you try it with Windows Vista and Windows 7 clients?1) why don't they log off when go online?2) if you need to log on "online" even when needing the VPN, VPN can be dialed up yet before the actual logon happens (there is the checkbox on the logon dialog box in XP or the button below on the screen on Vista+)3) you say "NTLM based" resources. How do you define or distinguish NTLM based resource from the Kerberos resource?ondrej.

Thanks Brian, I know about this work around, and works by now. But due to new security rules we have to build a GPO to force smartcard logon. So lock the computer and unlock it with username/password will not be available any more.So I really need to find some solution on this.Stephan I am not saying to log on with username/password, I am saying to lock and then log on with the smart card.If you have applications that are truly not kerberized (use Kerberos), these should have been caught in your pilot as they probably will never work with a user that authenticates with a smart card.Brian

Thanks for the replies.@Ondrej:0) I am trying it with Win XP and Windows 7.1) Not shure what you mean by this!? They are sitting at home or somewhere and connecting to the corporate network via Internet.2) We need to use a special Client to establish the vpn connection. so we cannot use the build in feature of dialing in before login.3) As far as I know Share Point Services are NTLM based and Office Communications Server probably to. But all this works fine when loging in online.@Brian:Ok, sorry, so I misunderstood you. I think I tried it with unlocking via smartcard and it still did not work. But Im not shure. So I will try this tomorrow and give you feedback. As said above we do not have applications that do not work when logging on with smartcard and connectio to the CN.BTW the message I get is "The Kerberos protocol encountered an error while attempting to utilize the smartcard subsystem." (Win7 error message)RegardsStephan

Sorry Brian, you were absolutely right. It also works when you unlock the computerwith thesmartcard.So this would be an advice we could give our users. But its still a workaround.I would prefer a "real" solution of this problem.Any ideas on this?Stephan

Sorry Brian, you were absolutely right. It also works when you unlock the computerwith thesmartcard.So this would be an advice we could give our users. But its still a workaround.I would prefer a "real" solution of this problem.Any ideas on this?Stephan Log off and log on or lock and unlock the work station are the only "real" solutions.Paul Adare CTO IdentIT Inc. ILM MVP

This is the real solution. (and basic Kerberos)You must acquire a new TGT as the TGT that you have is expired.To get the new TGT, you have to re-authenticate with the network.In fact, if you are using Vista or Windows 7, you are actually prompted to lock/unlock your computer if you attempt to access a resource with an expired TGTBrian

Ok, than thats the way how to do it.Thank you very much for your help and the explanations.(But as statet before I get the following message in Windows 7: "\\server ist not accessible. You might not have permission to usethis network resource. Contacht the administrator of this server to find out if you have access permissions. The Kerberos protocol encountered an error while attempting to utilize the smartcard subsystem." I would appriciate the message you mentioned! :-))RegardsStephan