Logo
PREGNANCY
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
 
 
Windows Vista

Troubleshoot Authentication Issues - SmartCards

3/13/2011 10:27:48 PM
Authentication is the process of having an authentication system validate a user’s identity. First, a user provides some sort of proof of identity and then requests an authentication system to validate that identity information is accurate. This confirms that the user is a known, trusted user on the computer system or network.

Authentication can be based on the following mechanisms:

  • Something You Know—Like a password or a PIN

  • Something You Have—Like a SmartCard or token device

  • Something You Are—Like a fingerprint or voice print, a biometric

  • Someplace You Are—Like a room (physical), an IP subnet (logical), or a time

Windows Vista can use the authentication protocols listed in Table 1.

Table 1. Authentication Protocols Supported by Windows Vista
Authentication ProtocolDescriptionWhen to Use
PAP—Password Authentication ProtocolClear text usernames and passwords. Not recommended.Use when clients on third-party operating systems need to authenticate.
SPAP—Shiva Password Authentication ProtocolWeak encryption.

Considered clear text.

Not recommended.
Use when clients on third-party operating systems using SPAP need to authenticate.
CHAP—Challenge

Handshake Authentication

Protocol
Encrypted usernames and passwords. Stored using reversible encryption.Use when clients on third-party operating systems have authentication encryption enabled. MAC, Unix, Linux.
MS-CHAPv1—Microsoft

Challenge Handshake

Authentication Protocol version 1
Encrypted usernames and passwords. Stored using one-way encryption.Use on Microsoft Windows 95, NT 4 (pre-SP4), and 98 (pre-SE) clients.
MS-CHAPv2—Microsoft

Challenge Handshake

Authentication Protocol version 2
Encrypted usernames and passwords. Stronger than MS-CHAPv1.Use on Microsoft Windows NT 4-SP4, 98SE, 2000, XP, 2003, and Vista clients.
EAP—Extensible Authentication ProtocolAllows additional authentication mechanisms to be used, including digital certificates, PKI. Typically stronger than password-based authentication.Use with all certificate-based authentication, including SmartCards, Biometrics, and so on.

These are all password-based authentication mechanisms, except for EAP.

In Windows Vista, the default logon authentication protocol is MS-CHAPv2. This is Microsoft’s second version of the open standard Challenge Handshake Authentication Protocol. This is the strongest one-factor authentication protocol available to Windows Vista. One-factor authentication utilizes only one of the authentication mechanisms (like something you know, have, or are).

SmartCards

To strengthen authentication beyond MS-CHAPv2, you can require more than one authentication mechanism and move to multifactor authentication. One of the most common multifactor authentication mechanisms is the use of SmartCards, along with a password or Personal Identification Number (PIN). This is referred to as two-factor authentication—something you have and something you know.

Microsoft has built in many controls to strengthen the two-factor authentication processes with the use of SmartCards. These controls are configured in the Local Security Policy (LSP) for the Vista computer or by GPO in an Active Directory environment.

To configure Vista for SmartCards, you principally need two settings. These are located in the Security Options section of the LSP and GPO, as shown in Figure 1.

Figure 1. Strengthen authentication in Windows Vista by requiring two-factor authentication with SmartCards.


They are:

  • Interactive logon—Require smartcard. This can either be enabled or disabled.

  • Interactive logon—Smart card removal behavior. The settings are

    No Action

    Lock Workstation

    Force Logoff

    Disconnect if a remote Terminal Services session

Other -----------------
- Configure and Troubleshoot Access to Resources (part 4) - Securing Network Traffic for Remote Desktop Protocol (RDP) Access
- Configure and Troubleshoot Access to Resources (part 3) - IPSec for Securing Network Traffic on the Local LAN
- Configure and Troubleshoot Access to Resources (part 2) - Printer Sharing
- Configure and Troubleshoot Access to Resources (part 1) - Permissions
- Windows Update (part 4) - Troubleshooting Updates
- Windows Update (part 3) - Windows Server Update Services Server (WSUS)
- Windows Update (part 2) - Automatic Updates
- Windows Update (part 1) - Manual Updates
- Windows Defender and Other Defenses Against Malware
- Windows Firewall
- Troubleshoot Security Configuration Issues (part 2) - Securing Data in Storage with Encrypting File System & Securing Computers with the Security Configuration and Analysis Tool
- Troubleshoot Security Configuration Issues (part 1) - The Windows Security Center & Securing the Operating System and Data in Storage with BitLocker
- Configure and Troubleshoot Security for Windows Internet Explorer 7 (part 4) - Digital Certificates
- Configure and Troubleshoot Security for Windows Internet Explorer 7 (part 3) - Cookie-Handling & ActiveX Opt-In
- Configure and Troubleshoot Security for Windows Internet Explorer 7 (part 2) - Internet Explorer’s Protected Mode
- Configure and Troubleshoot Security for Windows Internet Explorer 7 (part 1) - Pop-Up Blocker & Phishing Filter
- Troubleshooting Deployment Issues
- Perform Post-Installation Tasks (part 3) - Managing Computers with Multiple Operating Systems
- Perform Post-Installation Tasks (part 2) - Managing User Data
- Perform Post-Installation Tasks (part 1) - Restoring User State Data & Ensuring Driver Availability
 
 
Most view of day
- Microsoft Exchange Server 2010 : Getting Started with Email Archiving - Enabling Archiving (part 1) - Archive Quotas , Exchange 2010 Discovery Operation Considerations
- Windows Home Server 2011 : Maintaining Windows Home Server - Checking System Uptime
- Microsoft Lync Server 2010 : Planning for Voice Deployment - Voice Resilience
- Microsoft Project 2010 : Tracking Progress on Tasks (part 1) - Saving a Project Baseline
- Microsoft Systems Management Server 2003 : NTFS Security
- System Center Configuration Manager 2007 : Customizing Configuration Manager Reports (part 3) - Reporting on Custom Data
- Managing Change through Group Policy (part 2) - Working with central policies
- Windows Server 2012 : Configuring IPsec (part 2) - Configuring IPsec settings - Customizing IPsec defaults
- Using the Windows 7 Libraries : USING THE EXPLORER BROWSER CONTROL (part 1) - Adding the Explorer Browser to Your Toolbox , Configuring the Explorer Browser Example
- Windows Server 2008 : Promoting a Domain Controller with dcpromo
Top 10
- Sharepoint 2013 : Working with the CSOM (part 6) - Working with the JavaScript client object model - Creating, reading, updating, and deleting in the JavaScript client object model
- Sharepoint 2013 : Working with the CSOM (part 5) - Working with the JavaScript client object model - Handling errors
- Sharepoint 2013 : Working with the CSOM (part 4) - Working with the JavaScript client object model - Returning collections
- Sharepoint 2013 : Working with the CSOM (part 3) - Working with the managed client object model - Creating, reading, updating, and deleting
- Sharepoint 2013 : Working with the CSOM (part 2) - Working with the managed client object model - Handling errors
- Sharepoint 2013 : Working with the CSOM (part 1) - Understanding client object model fundamentals
- Windows Phone 8 : Configuring Mailbox Settings (part 5) - Configuring Automatic Replies
- Windows Phone 8 : Configuring Mailbox Settings (part 4) - Lightening the Display,Changing the Mailbox Sync Settings
- Windows Phone 8 : Configuring Mailbox Settings (part 3) - Message Signatures, Blind CCing Yourself
- Windows Phone 8 : Configuring Mailbox Settings (part 2) - Unlinking Mailboxes, Conversation View
 
 
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
2015 Camaro