Smart card workstation login is only available if NESCM is installed with the Novell Client.
Windows workstation login is usually password-based; however, the method supports using the smart card for Windows workstation logins. Workstation smart card login is designed to provide the basic smart card login experience for users when they are not able to connect to the network. An example of this is laptop users who switch between connected and disconnected states.
Because Workstation Only Login is designed to work in limited connectivity conditions, only limited certificate validation is performed. Therefore, a successful eDirectory™ smart card authentication must occur before workstation smart card authentication is available. This ensures that the certificate used for login is valid. During a Workstation Only Login, the method verifies that the certificate has not expired and that it was used previously in a successful eDirectory authentication.
When smart card workstation login is enabled, the method integrates with the Novell Client and stores information on the local machine. This information identifies the Windows account and the certificate used for authentication. The account password is also stored encrypted with a 128-bit AES key.
The 128-bit AES key is generated by using random seed data and the certificate’s private key. This links the AES key to the certificate’s private key and ensures that each account password is encrypted with a unique encryption key. The random seed data used in the key generation process is stored locally, along with the account information. However, the private key itself is never stored.
During a workstation only login, the encryption key is regenerated and the stored password is decrypted. To successfully generate the encryption key and decrypt the password, the smart card must be present and the user must know the PIN. The account name and decrypted password are then passed to Windows to complete the workstation login.
If the workstation only login attempt fails with the smart card, for any reason, the process automatically falls back and attempts a password-based local login. This allows users who know their local account information to log in locally without using a smart card. If is turned on, the method does not fall back and attempt a password-based login, and users are required to use a smart card for a local login. Enabling forces all local logins to use a smart card; no password-based logins are allowed. This means that successful eDirectory smart card logins must occur before any workstation only logins can occur.
In Window XP, if is turned on, it is recommended to set the to from the tab from the Novell Client Configuration page. With this setting, the Novell Client does not allow an automatic Windows-only login when a network login fails.
Workstation Only Login works best when the local account and eDirectory account names are synchronized. This is because when the account names are synchronized, the user does not need to remember different names for connected (eDirectory) and disconnected (local workstation) logins.
For information on how to implement Workstation Only Login, see Workstation Only Login.
NOTE:This option is available only on Windows XP.
If is set to 0, users are allowed to fall-back to the password based login. Also, during workstation unlock, if the user had logged into eDirectory by using the smart card (NESCM) and if the option is selected, it is possible to unlock workstation using the workstation password.
However, in some cases it may be required to enforce smart card only during workstation unlock and the registry key (located in HKEY_LOCAL_MACHINE\SOFTWARE\Novell\NMAS\MethodData\enhanced_smartcard) can be used.
If is set to 1 and smart card mechanism is used during login or within the logged session; then the user is not allowed to fall back to password when the option is selected during unlock.
NOTE:This section contains configuration information applicable for Windows XP. To configure workstation only login exception list for other Windows Client platforms, see “Creating an Exception List” in the Novell Client 2 SP2 for Windows Administration Guide.
During workstation only login, the registry key determines whether to enforce smart card login for all users on that workstation. If is set to 1, all the users must use smart card during workstation login.
However, there may be certain local users, who may not use smart card during login and there must be an exception on these users to not enforce smart card login. This is enabled using the registry key (located in HKEY_LOCAL_MACHINE\SOFTWARE\Novell\NMAS\MethodData\enhanced_smartcard), which allows multiple user identities to be populated. Every line represents the user for whom the exception can be applied.
The user identity must be in the following format:
Windows 2000 Professional and later versions: <UserName@DomainName>
For example, user1@domain1
Versions prior to Windows 2000: <NetBIOS_Domain\user>
For example, domain1\user1
The domain name is the Active Directory domain name if the machine is joined to AD or the host name in case of a standalone machine (to get the host name, use the hostname command at the Windows command prompt).
This registry key contradicts to the registry that is used to enforce smart card login or not. For example:
If is set to 1, smart card login is not enforced on the users mentioned in the exception list.
If is set to 0, smart card login is enforced on the users mentioned in the exception list.