Link to home
Create AccountLog in
Avatar of smilebpi1
smilebpi1

asked on

Has anyone ever successfully used a mag-stripe card to authenticate a windows XP workstation to an Active Directory Domain?

I suspect I'll have to have someone code me a custom Gina for this, but here goes.  Our owner, who is visionary, but also self-admittedly isn't always the most tech savvy individual, has tasked us with the following scenario:
Background - we currently use a mag-stripe card to gain access to our building, and our hourly employees also use the same card for time-clock functions.  The card is encoded on track 2, with a 7-digit string, comprised of a leading ";" then 5 numeric digits and a trailing "?" (remove quotes), or ;00000?.

Scenario - He wants us to configure our PC logins to allow the same card to be used to swipe and login to the domain.  BUT, he doesn't want the card to have to be altered, ergo, we need to somehow alias the ;00000? string to an actual login/password combination against the domain controller.  NOTE - I have used Smard Card technology in the past to perform this, and Microsoft supports this feature pretty much out of the box, but I've never used a mag-stripe card, or reader (which is essentially a keyboard wedge), to do the same.

So, my first thought was a custom Gina, but I'm not a programmer, so that's the least desireable option for me at this point in time, aside from the fact that everytime there's a service pack, we run the risk of wiping out the custom Gina.  I'm at the point where, job security aside, i'm ready to tell him it's not possible and to get stuffed, but I figure if anyone else has done something similar they've done it here.

In summary, we have existing mag-stripe encoded cards, with a string we can't alter, that we need to be able to use to login our PC workstations to our domain.  I believe we need a custom Gina, but really looking for alternatives.  Thank you all for your support and assistance, even if I get a resounding "NO" to any alternatives.

Avatar of JRaster
JRaster
Flag of United States of America image

Sorry, I dont have an answer for this one, but i have a secondary solution that does not require employees to carry another card.
http://www.digitalpersona.com/business/enterprise.php

I have it setup and it works great!
If you take security seriously, you will NOT be implementing this, at least not without a secondary login requirement, like....password, fingerprint etc.
.... magnetic cards are sooooo easy to duplicate it's not funny.
Avatar of smilebpi1
smilebpi1

ASKER

Agree totally about the security issues, but when the owner asks for something, we do it...
Also, thanks for the info JRaster, we have some biometrics already in place, but we have mitigating circumstances which prohibit us from using a finger swipe.  But, on a lighter note, we may be able to use a hybrid card, a SmartCard with an encodable mag-stripe...  Waiting on the demo kit, stay tuned :)
Digital Persona is not a finger swipe, its a finger reader.  So you just press and hold for a milisecond and it reads it.  
You should try one for R&D.  http://www.cdw.com/shop/products/default.aspx?EDC=858448
The workstation will work on a single computer using active directory.  You can also assign fingerprint to web applications to have a single sign on.  
If you add the active directory digital persona server, then your finger print witll work on any computer that has the digtial persona fingerprint reader.  I have it on thirty computers right now.  
sorry, didn't mean it was prohibitive from a technology (swipe versus read) perspective, it's just that once we've gotten him what he wants on the PC's, we need to do the same with a number of MFP (large copier/scanner/printer) units as well, and, well, let's just say their interface capabilities aren't as robust as a PC's (we're pretty much limited to connecting a USB mag-stripe to them), but they can authenticate against an intermediary database as they have LDAP capabilities that allow us to play with the authentication a bit more...  But thanks for the info just the same, i do like the idea of a scan verus swipe for biometric authentication.
Thats cool. Sorry you have to have so much controls on printers and copiers.  =(
ASKER CERTIFIED SOLUTION
Avatar of smilebpi1
smilebpi1

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account