1. 技术文章
  2. Smart Card Removal policy is not enforced when performing SSO using Custom Credential Provider

Smart Card Removal policy is not enforced when performing SSO using Custom Credential Provider

泄露秘密 提交于 2019-12-08 09:12:01

问题


I have created a EFI Pre-Boot Application were in I enter the user credentials which are passed to windows to logon (Single Sign On) using my credential provider.

I have a Group policy "Interactive logon: Smart card removal behavior" set to "Lock Workstation: The workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session."

So if I reboot the machine and use login using my credential provider, then the Group policy is not enforced when I remove the Smart Card. But if I lock and unlock the machine and then remove the smart card, Group policy works and machine gets locked.

As per this article https://blogs.technet.microsoft.com/instan/2010/03/08/deconstructing-the-smartcard-removal-policy-service/ I can see that registry entry is NOT created under \HKLM\Software\Microsoft\Windows NT\CurrentVersion\Removal Policy when I logon using smartcard SSO (my custom credential provider).

So my question was, am I missing something in my credential provider ? Do I have to call any API from my credential provider to make GPO work or do I have to implement the corresponding logic in my credential provider so that GPO is enforced by Smartcard Removal Service ?


回答1:


Before starting service you must prepare registry values for it.

  1. Parameter in the registry path SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Removal Policy
  2. It's name must be logon session id (text '0', '1' etc.)
  3. Value is binary combination of SmartCard Reader Name and it's status (as noted in article).

In my case it is look like this:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Removal Policy] "1"=hex:41,00,4b,00,53,00,20,00,69,00,66,00,64,00,68,00,20,00,30,00,00,00,00,00,1f,00

It is decoded as Unicode string "AKS ifdh 0" with NULL terminator and DWORD value 0x00190000, where 0x0019 is insertion and removal count of smart-card into reader since boot.



来源:https://stackoverflow.com/questions/53074177/smart-card-removal-policy-is-not-enforced-when-performing-sso-using-custom-crede

标签
authentication
smartcard
interactive
winlogon
credential-providers
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!