PaulDotCom mailing list archives
Re: Requiring smart card use in a Windows domain
From: Herndon Elliott <alabamatoy () gmail com>
Date: Fri, 21 Jun 2013 06:42:10 -0500
Date: Thu, 20 Jun 2013 15:04:18 -0600 From: Terri Shuey <mathair.jedi () gmail com> To: "pauldotcom () mail pauldotcom com" <pauldotcom () mail pauldotcom com> Subject: [Pauldotcom] Requiring smart card use in a Windows domain When testing the 2 different configuration options to require smart card use for interactive logins (computer vs user account setting) we found
both
options broke access to other applications that were linked to AD. For example corporate mail delivery to iDevices when the user account was required to use a smart card. Or RunAs Admin when computer account was
set
to require it. Since corporate mail delivery to an iDevice is normally considered mission critical (heaven forbid if email is down) has anyone found a way to bypass or limit either of these account configurations to just normal user accounts on specific devices? For example require the computer account to use smart card but allow RDP or RunAs for admins without smart card required?
See http://militarycac.com - solution is "Middleware" tools. What you describe is widely deployed and solved in DoD. Also, there are now certificate solutions which implement solution on iThings and Androids. Some are better and more secure (and therefore less convenient) than others. Softcerts look to be where we will wind up. Good luck.... Herndon Elliott Madison, Al https://keyserver.pgp.com key ID: 24B60B6150130832 ΜΟΛΩΝ ΛΑΒΕ "molon labe"
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Requiring smart card use in a Windows domain Terri Shuey (Jun 20)
- <Possible follow-ups>
- Re: Requiring smart card use in a Windows domain Herndon Elliott (Jun 21)