none
Understanding scenarios where smart card credentials roam to different user profiles

    Question

  • http://social.technet.microsoft.com/wiki/contents/articles/11483.credential-roaming.aspx#Smart_Card_Certificates_Become_Available_in_a_Different_User_Profile

    If > 1 user performs an interactive logon to any system that can see into a smart card, then the certificates (though not the private keys) on that smart card will end up in other user(s) profiles. Is my understanding correct here? Also...

    • Is behavior the same when the smart card is protected by a PIN?
    • It seems like the article suggests this behavior: if any user logging into a system that can see into a smart card is configured for credential roaming, all logged on profiles will not only pull the certificates from the smart card into their MY store - but those certificates will also start roaming with those profiles.

    These issues seem like a massive roadblock to killing off passsword-only authentication for my sensitive users. Although it seems like private keys remain protected - if there is no way to eliminate these behaviors - we will rapidly see many certificates from varying users spread across other profiles and roamed all over the place as part of normal workflows.

    Is there no way to limit smart card visibility to the user that plugged it in / entered the PIN to unlock it? Are smart cards only read under non-user (aka system) context(s) and that's the whole root of the problem?


    born to learn!

    Wednesday, January 27, 2016 2:37 PM

Answers

  • Hi,

    Q1: “If 1 user performs an interactive logon to any system that can see into a smart card, then the certificates (though not the private keys) on that smart card will end up in other user(s) profiles. Is my understanding correct here?”

    My answer: Yes, your understanding is right. The smart card is belong to A, B use A’s workstation to perform interactive logon. If B has credential roaming configured, A’s certificate will start roaming with its user profile and become available in B’s user profile.

    Q2: Is behavior the same when the smart card is protected by a PIN?

    My answer: This behavior has nothing to do with the security methods of smart card. It only appears in certain scenarios.

    Q3: Is there no way to limit smart card visibility to the user that plugged it in / entered the PIN to unlock it?

    My Answer: Since this behavior only appears in specific scenarios, currently we do not have a perfect solution to deal with it. The only advise is:

    Users who often log on to an interactive session through a terminal server, while their smart card is mapped through the terminal server client, should not have credential roaming configured.

    Sorry for the limited help on this case.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, January 29, 2016 8:46 AM
    Moderator