Smart card workstation login is only available if NESCM is installed with the Novell Client.
Windows workstation login is usually password-based; however, NESCM supports using smart card for Windows workstation logins. Workstation smart card login is designed to provide the basic smart card login experience for users when they are not able to connect to the network. An example of this is laptop users who switch between connected and disconnected states.
Because Workstation Only Login is designed to work in conditions where connectivity is limited, only a limited certificate validation is performed. Therefore, a successful eDirectory™ smart card authentication must occur before workstation smart card authentication is available. This ensures that the certificate used for login is valid. During a Workstation Only Login, the method verifies that the certificate has not expired and that it was used previously in a successful eDirectory authentication.
When smart card workstation login is enabled, NESCM integrates with the Novell Client and stores information on the local machine. This information identifies the Windows account and the certificate used for authentication. The account password is also stored encrypted with a 128-bit AES key.
The 128-bit AES key is generated by using random seed data and the certificate’s private key. This links the AES key to the certificate’s private key and ensures that each account password is encrypted with a unique encryption key. The random seed data used in the key generation process is stored locally, along with the account information. However, the private key itself is never stored.
During a workstation only login, the encryption key is regenerated and the stored password is decrypted. To successfully generate the encryption key and decrypt the password, the smart card must be present and the user must know the PIN. The account name and decrypted password are then passed to Windows to complete the workstation login.
During Workstation Only Login, the Disconnected_Required registry key determines whether to enforce smart card login for all users on that workstation. If Disconnected_Required is set to 1, all the users must use smart card during workstation login.
However, there may be certain local users, who may not use smart card during login and there must be an exception on these users to not enforce smart card login.
To configure workstation only login exception list, see Creating an Exception List in the Novell Client 2 SP3 for Windows Administration Guide.