Deployed a Windows PKI to use with RSA smartcards. They want to use it for specific purposes, such as requiring admin accounts to logon to a server with the two-factor auth. The enrollment process seems to go correctly. However, the problems they are experiencing are this: 1) a smartcard enabled user can go to any server, plug the usb card in and log into the server, even though that particular account has no rights to log into that server. They are not a part of the local admin group or remote desktop group. 2) with the USB plugged into their laptop or desktop, they can RDP into a server and are never prompted for smartcard credentials. The admin user accounts have the smartcard enabled checkbox ticked. MCITP Exchange 2010 | MCTS Exchange 2007 | MCITP Lync Server 2010 | MCTS Windows 2008 | MCSE 2003

1) I guess they are domain admins and have permissions to log on to server. 2) Sounds like a smart card client miscomnfiguration. You need to check your card documentation to configure key caching options. As with Aladdin tokens (which I'm using), there are 3 caching options (ask PIN each time the card is accessed, per process, per session cachings).My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

We were able to solve some of the issues. Basically, they didn't have some basic settings enabled (they did not have the smartcard is required checked, which I thought they did have previuosly) and we needed to install KB909520 on some of the servers. The current issue is how to integrate RSA with VMware ESX, but I guess that's for another forum.MCITP Exchange 2010 | MCTS Exchange 2007 | MCITP Lync Server 2010 | MCTS Windows 2008 | MCSE 2003