Hi, I'm running Server 2008 in a test bed environment and attempting to use Gemalto .NET smart cards to user logons. I've been able to write the certs to the cards and logging in with the cards works fine. I'm running into a problem where if a user puts a bad PIN in 5 times, the card will lock them out but AD won't. Additionally, in the event viewer, there are security events that are appearing that shows "failed logins", but the account name is blank. It doesn't say 'null', it's just blank. I'm wondering if anybody has any ideas on how we might be able to resolve this. Thanks!

sure, the PIN lockout is local to the smart card and does not touch the network at all. so the DC cannot get to know that a card has been locked. it would require some client application that would monitor the card lockout and also locked the accounts on DC "manually". as the card locks out, there is no certificate to be used from it for the logon, so the logon event cannot display any account name as it in fact didn't do any windows login attempt at all. the card just didn't provide any information to windows that would be to be displayed. ondrej.

Are there any logs that get generated on the server (CA or in AD) that would give the administrator a hint that so and so user is failing logon due to an invalid PIN? Additionally, in a smart card logon environment, it sounds like the administrator can't run a report on which smart cards are locked out (blocked) due to an invalid PIN. It sounds like this really isn't possible to do out of the box. From what it sounds like, you may be able to write a script that would notify AD of failed logons from the client end, but that's really about it. I suppose I'm just kind of surprised that an administrator would be missing 'failed logons' from smart cards due to invalid pin. Plus, you're really putting a lot of faith in the smart card in regards to blocking the user if the card is compromised. I would have thought that the card would "sync" more with AD. Thanks for the response and the information. I'm just learning this and it's good to know that what I'm doing is how it normally operates and that I'm not doing anything wrong! Thanks!

The key point is that when you login with a smart card (PKINIT extensions to Kerberos), the request is not submitted for the TGT until you sign the request with the private key of the certificate on the smart card. Since the user has not successfully provided a PIN, no actual logon attempt has occurred. It is not a problem to have "faith in the smart card". It does lock itself and can only be unblocked through a challenge/response mechanism that involves calling into a help desk or connectivity to a registration authority (such as FIM CM) Brian