Re: Requiring smart card use in a Windows domain

[Herndon Elliott <alabamatoy () gmail com>]

> Date: Thu, 20 Jun 2013 15:04:18 -0600
> From: Terri Shuey <mathair.jedi () gmail com>
> To: "pauldotcom () mail pauldotcom com" <pauldotcom () mail pauldotcom com>
> Subject: [Pauldotcom] Requiring smart card use in a Windows domain
>
> When testing the 2 different configuration options to require smart card
> use for interactive logins (computer vs user account setting) we found
both
> options broke access to other applications that were linked to AD.  For
> example corporate mail delivery to iDevices when the user account was
> required to use a smart card.  Or RunAs Admin when computer account was
set
> to require it.
>
> Since corporate mail delivery to an iDevice is normally considered mission
> critical (heaven forbid if email is down) has anyone found a way to bypass
> or limit either of these account configurations to just normal user
> accounts on specific devices?  For example require the computer account to
> use smart card but allow RDP or RunAs for admins without smart card
> required?

See http://militarycac.com - solution is "Middleware" tools.  What you
describe is widely deployed and solved in DoD.  Also, there are now
certificate solutions which implement solution on iThings and Androids.
Some are better and more secure (and therefore less convenient) than
others.  Softcerts look to be where we will wind up.

Good luck....

Herndon Elliott
Madison, Al
https://keyserver.pgp.com key ID: 24B60B6150130832
ΜΟΛΩΝ ΛΑΒΕ "molon labe"

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com