Cache Credentials and users with one smart cards or more

Cache credentials in windows is useful if you want to access your machine while you don’t have domain controller connectivity . You can use group policy to turn on or off this feature and determine how many accounts to cache .

If the user Bob has a smartcard and logons twice, once as domain\bob and his password, and once with his smartcard and PIN – he will have 2 entries in the cached logon list .So he can go home (offline) and log on using username and password or smart card

Likewise, if the same user Bob has 2 smartcards, and he logs on with SC1 and then SC2 , the cached info for SC2 will be the only card he can use to logon with cached credentials, as it will overwrite the data from  the cached logon from SC1 ( most times ).

This scenario has come up where the security team  issue a user 2 cards , one in case he leaves the other at home or work. He logs on at work with SC1 and when he gets home, expects to logon cached via SC2 etc.Because of the way logon information is cached, the certificate for the second smart card must be issued by another issuing certification authority (CA). If a different CA is not used, the last smart card that the user used online is the only smart card that can be used to log on when they are offline.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s