Simplifying Win7 Smart Card Logon (PIN Prompt, disable CAD)
Hi, I've seen forms of this question asked before, but nothing pertaining to the specifics I'm looking for answers to. The end goal of what I'm looking to do is get the same user experience from smart card logon that I had in XP in Windows 7 including: no required Control+Alt+Delete (CAD) automatic prompting for PIN switching to PIN prompt when card is inserted (not having to dig through Other Credentials). My research as far as disabling CAD has lead me to find that I need to disable the Secure PIN Channel "feature" via Common Criteria Group Policy or edit a Cryptographic Service Provider (CSP) parameter via a minidriver. Source I'm new to the Windows admin side of life, but the Common Criteria GPO stuff seems to only return results related to Windows 2000 Server and there are no Win7 GPO's that I have found to do what I'm looking to do. As far as getting the PIN prompt to come up after CAD, it doesn't seem like there's any consistent way to do it beyond tweaking the registry to change the key for "LastLoggedOnProvider" to smart card via a logon script. Source If anyone had an idea to share or some background knowledge beyond the documentation I'd found I'd really appreciate it. Thanks
April 22nd, 2011 5:52pm

I recently developed a cryptographically secure password generator tool that I posted on my developer site. It includes the use of a cryptographic service provider, current I am using RSA but I may add ECC as an alternative. Keep in mind this generator is several hundred lines of C++ code. Smart cards have not really seen much use with the PC. There are some applications but they are outside the scope of this post. My MVP is for the Windows Desktop Experience, i.e. Windows XP, Vista and Windows 7 IT Remote Assistance is available for a fee. I am best with C++ and I am learning C# using Visual Studio 2010 Developer | Windows IT | Chess | Economics | Hardcore Games | Vegan Advocate | PC Reviews
Free Windows Admin Tool Kit Click here and download it now
April 23rd, 2011 4:56pm

Thanks for the response, but this has absolutely nothing to do with my question.
April 25th, 2011 4:45pm

a server policy can block CAD prompting for a PIN is not standard, generally user/pass is presented as for the smart card, that is entirely dependent on the card and the associated software stack My MVP is for the Windows Desktop Experience, i.e. Windows XP, Vista and Windows 7 IT Remote Assistance is available for a fee. I am best with C++ and I am learning C# using Visual Studio 2010 Developer | Windows IT | Chess | Economics | Hardcore Games | Vegan Advocate | PC Reviews
Free Windows Admin Tool Kit Click here and download it now
April 25th, 2011 4:48pm

Blocking CAD is about the best idea I've had in that regard, thanks for confirming. I suppose it's unfair to compare the functionality of a Windows XP minidriver to that of the default Windows 7 minidriver. I was just trying to see if I could get away with the built-in minidriver and avoid the cost and hassle of pushing a third party minidriver given that the basics are there.
April 25th, 2011 5:16pm

XP and Vista/7 aee completely different animals. That's why I suggested using a new machine to test, with a clean install of Windows. Then you can have a baseline for testing, that is what I use virtual machines for all the time My MVP is for the Windows Desktop Experience, i.e. Windows XP, Vista and Windows 7 IT Remote Assistance is available for a fee. I am best with C++ and I am learning C# using Visual Studio 2010 Developer | Windows IT | Chess | Economics | Hardcore Games | Vegan Advocate | PC Reviews
Free Windows Admin Tool Kit Click here and download it now
April 25th, 2011 6:34pm

I don't see where you suggested testing on clean machines/VM's. This is what I am doing, but my question is more along the lines of checking if it's possible to do what I'm trying to do, or if there's a better way. If you had any advice on my original question I'd appreciate it. Thanks
April 25th, 2011 6:55pm

Typically such scenarios involve some custom software that usually comes from the SC vendors. Then any additional software would be written on top of that. This is more of a development issue than IT. I use a smart card for access to secure areas on the Microsoft sites that are not open to the public. Microsoft provided all of the software for the card so that I can use IE to connect to those secure sites. This is a higher level of authentication that a simple user name a password. Microsoft also provided me with a smart card reader along with the card. The reader is USB so I can use it easily. The card itself is the top model that is not even available to banks yet. My MVP is for the Windows Desktop Experience, i.e. Windows XP, Vista and Windows 7 IT Remote Assistance is available for a fee. I am best with C++ and I am learning C# using Visual Studio 2010 Developer | Windows IT | Chess | Economics | Hardcore Games | Vegan Advocate | PC Reviews
Free Windows Admin Tool Kit Click here and download it now
April 25th, 2011 6:59pm

the "CAD" is named "SAS" for Security Attention Sequence. You can disable it through a group policy. The two others things you ask should already been enabled. Regards, Vincent
April 29th, 2011 11:19pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics