Smart card for Windows Login - 10 years later
August 29, 2017 11:38 AM   Subscribe

How can I use smart cards to log into my Windows 20016 Server domain?

Ten Windows 10 Pro desktop users with domain accounts. They are tired of typing cryptic passwords. They would be happy to insert or wave a smart card in front of a reader of some sort. They then get logged in, preferably without having to type a pin. Bonus: If they had to insert the card, pulling it out will log them out.

This is a small place, buying certificates, a complete PKI solution, and software fees of 100(0) of dollars won't work for them.

Is there a pragmatic solution that works on Win 10 Pro with domain accounts?

I found an old question from 2007, there must be something newer out there?
posted by nostrada to Computers & Internet (8 answers total) 1 user marked this as a favorite
Maybe Yubikeys? Yubico has information about getting started with Windows (including login) - scroll down a bit to get to Windows 10. Not sure about the "logout" on device removal support though.
posted by jeffch at 11:48 AM on August 29, 2017 [1 favorite]

I don't have a specific answer for the smartcard piece, but there are some settings you can change to help folks. Windows by default requires authentication on wake from sleep. (You can turn this setting off, though I'm not sure I would recommend it). If you set you sleep timeout to a low number (like 10 minutes), either either on the machine or in your group policy, people constantly have to reauthenticate when they walk away. If you lengthen that time to 30 or 60 minutes, you may be able to drastically reduce the number of times per day you authenticate. There are similar settings for how long a computer is allowed to idle before it locks automatically. Shorter = more re-authentications, but better physical security.

As far as authentication goes, you might look at Windows Hello. I believe it's fingerprint or facial recognition and not a smart card, but that's faster than what you're doing now. Lots of fingerprint readers are compatible and they're not expensive.
posted by cnc at 12:53 PM on August 29, 2017 [1 favorite]

You shouldn't need anything extra, Windows Server should be all you need without extra software. You can create your own CA, push the CA cert out to the clients, grab some smart card readers, some blank smart cards, and start enrolling users using your own in house CA.
posted by Talez at 1:46 PM on August 29, 2017 [1 favorite]

Seconding that Windows Hello is worth looking into. You can even configure it to use a PIN for login (meaning no hardware needs to be purchased, whether that be card readers or fingerprint readers), though it may require that the client machines have a Trusted Platform Module installed and enabled.
posted by Aleyn at 3:12 PM on August 29, 2017

Seconding that Windows Hello is worth looking into. You can even configure it to use a PIN for login (meaning no hardware needs to be purchased, whether that be card readers or fingerprint readers), though it may require that the client machines have a Trusted Platform Module installed and enabled.

It doesn't need TPM for me. I use a Mouse Facial Recognition Camera and it works fine.
posted by Talez at 3:19 PM on August 29, 2017

Thank you so much for your input. I will try a Yubikey and I have ordered the camera.
posted by nostrada at 3:29 PM on August 29, 2017

the governence is going to be the hard part. i sorta guess it's easier that you aren't looking at this from a 'get two-factor and client identity improved' but from a 'more convenient for users' pov.

even with that said, it's gonna be a bit of a bitch.

the tech bit is easy: create a ca using makecert. create client certs using makecert + ca. then, use Active Directory Certificate Mapping (it's called this specifically) to map client certs to ad accounts.

you don't have to use smart card, you can carry around a cer, pfx, whatev on any media. but then, whoever gets the media gets the client cert. same as with a smart card, but generally people are habituated to protect cards in their wallet. as opposed to habitually putting thumb drives in a washing machine.

smart card w pin is best, but a little pricier.

then, use ActivClient to manage the login/sleep/logout rules.

that's it, technically. governance...

-who is authorized to make client certs?
-what happens if the die? or quit? or get sacked?
-what is the system for making smart cards?
-what is the turnaround for a new employer?
-decomming an old employee
- lost/stolen cards? use an acl to revoke? reassociate the the ad account with a new cert?
- what if an A level exec left his card in paris, now it's 7am in hong kong and he needs to log in RIGHT NOW? 24 hour helpdesk?
-related, you could say "login with your password." sigh, who can remember a 16 char 2upper 2lower numeral and special character with no dictionary lookup and no adjacent keyboard strokes pw that they don't use several times a day? are you going to do a pw reset over vpn? how's A gonna log in?
-cards wear out. what do you do for a faulty card. is the employee on the beach until he gets another card? what if he's in munich?
-people forget pins. same as above. gotta reissue a card.

it's the edge cases that wil fuck you. it needs planning.

(20 years DOD and civ IA, especially PKI - not fulltime til last few years, but involved as a cardholder and sysad in some fashion)
posted by j_curiouser at 7:50 PM on August 29, 2017 [1 favorite]

annnnd...the other biometric identity management approaches above are certainly viable.

be certain plan for outages with peripherals: card readers, fingerprint readers, cameras...

this will happen on the road, in a different timezone, 15 minutes before a presentation. travel with spares of whatever. i take an extra cardreader w me everywhere.

if IA is a new responsibility for you, look closely at the expectations. and consequences.

read up, too. the topic you wanna focus on is Authentication & Authorization.

posted by j_curiouser at 7:59 PM on August 29, 2017

« Older How to be Pete Best?   |   How does the US child mental health system differ... Newer »
This thread is closed to new comments.