...Because someone's gotta tell the story...


To return to the main Blog List, click Full Blog Listing.


Domain Controller

What is an Interactive Logon and Smartcard?

Saturday, April 05, 2008 in Technical Articles (Views: 5733)
Question: What is the box on a Windows user account that says "Smartcard Required for Interactive Logon" and why doesn't it always require a smartcard to log in to some places?

Real Question: What makes an interactive login?

Answer: Let's dive in to what an "Interactive Login" is.

In the Windows world, if you want access to a resource, you need to provide it some sort of credentials (even Anonomouys users in IIS are actual accounts). Once credentials are received and verified, the user is passed a security token, similar to a ticket from an amusement park. It says what access the user has to "the park" or "the network".

Note: Call me a bad analogy maker here, but did Disneyland get rid of their limited tickets, and just sell unlimited rides now?

Authentication can be brought from one of two places: A local SAM (Security Access Manager) database from either a computer which is not part of a domain (or one that is, but the account happens to be local), or the Active Directory database from a computer joined to a domain (or a domain controller). A Domain Controller does not have a SAM database until it is demoted.

Based on this, there are three types of logins:

Local Login: The SAM database

Domain Login: The Active Directory database

Smartcard: Dual factored authentication, using some type of physical identifier (like a smartcard) combined with something you know (such as a PIN number). This works just like if you went to the ATM machine. If you go to the ATM, it won't accept your card without a PIN, or likewise if you have a PIN but not your card, it won't be very forgiving either.

So back to the point:

Interactive Login can happen in one of two ways:

1. At a console, logging in with any of the above methods.

2. From a remote connection (like Terminal Services) using any of the above methods. This feature additionally is called "Remote Interactive Login".

Why would some places like websites not require or accept a smartcard for login?

Simply put, many websites are not enabled for smartcards. IIS does have a method in place that would do that, but forms based authentication for now, is still King.

If a user is set for Smartcard authentication, make sure your users don't forget their passwords unless everything you do completely supports Smartcards (and if it does, I salute you, you're light years ahead)...

I hope this clears up the definition of Smartcards and Interactive Logins...


Related Blogs You May Be Interested In:

To leave a comment, please log in and/or register.