VPN connection remains active after removing smart card

Hi,

I configured a Microsoft Windows Server 2008 R2 as a remote access server (VPN Server). the only allowed authentication method is "microsoft: Smart Card or other certificate." I deployed an enterprise CA in this machine and everything is working properly.

Now, the problem is that when I remove the smart card from the client while the client is connected to the VPN server, it won't be disconnected. For some security's issues I need the connection get disconnect after removing the authentication certificate (Smart Card), immediately or with expiring a timeout. How can it be done?

May 13th, 2013 11:19am

Hi,

Thank you for the post.

Please refer to this article: http://technet.microsoft.com/en-us/library/dd277384.aspx

System administrators can also configure system response when a user removes the smart card from the reader while logged on to the system. Administrators can choose from three options for how the system responds when a smart card is removed while a user is logged on:

  • No Action This is the default setting. When you select this option, nothing happens when the user removes the smart card.
  • Lock Workstation CTRL + ALT + DEL and then press Lock Workstation.
  • Force Logoff When you select this option, the user is automatically logged off the system when the smart card is removed. Use this option for high security.

Regards,

Free Windows Admin Tool Kit Click here and download it now
May 14th, 2013 6:54pm

Thanks for the response Nick,

The article you mentioned in your response is about forcing a user to be logged off if he/she is logged on the domain through a domain member client computer.

In other word, I want to configure the NPS or RRAS to frequently re-authenticate remote sessions on predefined intervals, so if the credential wasn't valid anymore --in this case, the smart card removed from client computer-- the session would be terminated and the remote user would be disconnected from network. in this case users are neither logged on nor through a domain member client computer. So, we cannot force the Group Policy. Users are remotely connected into the network using a tunneling protocol like SSTP and the client computer is a non-domain one.

I also saw this thread, but the answer is not about question's scenario:

   http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/33d0c8a6-cd67-4c04-a3f1-05f153076fd9


May 26th, 2013 10:05am
It seems like nobody can help on this problem, because Microsoft did not take care of that in first place!
Free Windows Admin Tool Kit Click here and download it now
July 13th, 2013 3:37am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics