smart card and token for windows login

Posted on 2013-12-23
Last Modified: 2016-07-12
We are currently in process of implementing smart card windows login , we need to have a secondary login using token (Ex. RSA) in case an employee forget/lose his smart card
what is the possibility to have token as a secondary login and how to switch between smart card login and token
Question by:zulfiqar43111
  • 4
LVL 63

Assisted Solution

btan earned 134 total points
ID: 39737492
Likely you need the fallback plan to be fronted by some sort of "intelligent" proxy such that it is able to execute the plan according. I see maybe can leverage on Application delivery controller (ADC which is also at same time load balancer capable) such as F5 APM, or Forefront TMG (or ISA) or the Cisco ACS like type of approach.

I dont think you can indicate fallback via the active directory on Windows login account beside having back to login via user/password out of windows box, which is more of a downgrade...RSA OTP can also in part of windows login gina as most enterprise has used it, but likely you need to cater for Enterprise SSO (recall there is IBM Tivoli and Oracle IDM) which is part of a identity mgmt suite

Pls see the below:

(F5 APM for AAA servers and it is able to has flexibility to configure various authentication means using policy editor. But it tends to work with your org IDM provider )

(see "Methods for validation of client credentials" onwards, e.g. If authentication fails, Forefront TMG provides the server's failure notice to the client. If the server requires a different type of credentials, Forefront TMG triggers an alert. Also 2nd link talks on SecurID and ISA)

(see the HA configuration but for your case of user fallback maybe too tedious to do it specific to single user, I was thinking maybe ACS can act as directory to check and fallback according to user mapping - need to explore further on 2nd link's "Unknown user policy External database Mapping RSA")
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 66 total points
ID: 39743465
I don't think you've thought this through, why does a user need two logins? With active directory there are no secondary passwords or fall-backs, it's the users password or nothing. You can use tokens to be the passwords or authenticators like Yubikey's standard token, it is basically a USB device that replays a password when you want it to. Place the USB in, put the cursor in the password field, click a button on the USB device and it "types" the password in. It's almost 100% universal. That is the only thing I can think of using, the yubikey would have the same password they user knows however, so it's only going to work as a backup not an alternate.
I think I don't understand the question really, I can't picture this fallback working for anything. But I'm a security guy and that sounds like bad bad bad security.
LVL 63

Expert Comment

ID: 39743482
This is more like having the user recovery if he/she forget their password too, self service reset of password. There are many means to have it and likewise if PIN is forgotten and not due to backend outage or errors, user has to bear the ownership to recover via helpdesk as per norm, this is similar to revoke those expired cert or token is spoilt. I do agree there shouldnt be so many login especially for OS, it is either smartcard or the normal username/passwd but as shared it is security downgrade. Go for maintaining the change mgmt process in user awareness and resiliency in backend. Appl login can varied but not OS (including preboot) login as that is the critical juncture to access all possible service vai the machine
LVL 63

Accepted Solution

btan earned 134 total points
ID: 41704627
Actually I am thinking the question is better answer as just install it as another credential provider based on provider e.g. For RSA SecurID (OTP token) has its own software and the other Smartcard provider will also have another software (cum token driver and Crypto provider). Depending on which hardware used by user on login through the tile selected will authenticated against the smartcard or token.  The provider can be filtered as well. Look at the RSA suggestion
Navigate to Start --- > Run --- >. "gpedit.msc" > Computer Configuration > Policies > Administrative Templates > Classic Administrative Templates > RSA Desktop > Credential Provider Filter Settings
This can be accomplished by enabling the exclusion on third-party credential providers. You can leave all the rest of credential providers as not configured which is a default setting.
Exclude the Microsoft Password Credential Provider =Not configured
Exclude the RSA Credential Provider for disconnect auth =Not configured
Exclude the RSA Smart Card Credential Provider =Not configured
Exclude the Third-party Credential Providers = Enabled

As whole, it should be viable to answer the query.
LVL 63

Expert Comment

ID: 41704633
Can I suggest that the below are consider for the solution.
http://#ID:41704627 (tile based selection by user)
http://#ID:39737492 (another means using a proxy to manage which login approach)
htto://#ID:39743465 (another form factor)

This is in understand it is not asking for multifactor authentication e.g. not to restrict only with 2nd factor as well as not asking for HA configuration. But more of user is able to use either smartcard or token if I read it correctly

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
Most MSPs worth their salt are already offering cybersecurity to their customers. But cybersecurity as a service is wide encompassing and can mean many things.  So where are MSPs falling in this spectrum?
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question