Authenticating users with smartcard and login/password

Context

When a user opens an Active Directory session with his smartcard, it happens that some applications do not support smartcard logon, but needs classical user/password login.

Dilemma

When you use Active Directory Users and Computers MMC, you only have the option “Smart Card is required for interactive logon”:


This action does the following:

  • Disable logon with password
  • Change the user password
  • User does not password expiration date

Solution

User modification

Do not change user with ADUC MMC

Change users properties with a PowerShell Script

$oUser = [ADSI]("LDAP://" + $Props.distinguishedname)
Write-Output "Found user: $($oUser.DistinguishedName)"

Write-Output "   --> Setting SMARTCARD_REQUIRED (No password change)"
[int]$userFlags = $oUser.useraccountcontrol[0]
$oUser.useraccountcontrol = $userFlags -bor $ADS_UF_SMARTCARD_REQUIRED
$oUser.setinfo()

#    $oUser.ObjectSecurity
$self = [System.Security.Principal.SecurityIdentifier]'S-1-5-10'
[guid]$nullGuid = [guid]"00000000-0000-0000-0000-000000000000"

Write-Output "   --> Changing rights and attributes"
$oUser.get_ObjectSecurity().AddAccessRule($(New-Object DirectoryServices.ActiveDirectoryAccessRule `
    $self, "ExtendedRight", "Allow", $(GetADRightGuid("Reset Password"))  `
 ))

$oUser.get_ObjectSecurity().AddAccessRule($(New-Object DirectoryServices.ActiveDirectoryAccessRule `
 $self, "ExtendedRight", "Allow", $(GetADRightGuid("Change Password"))  `
 ))

$oUser.CommitChanges()

Check password expires

On the OU in which the account is, link a GPO with a PowerShell login script and add the equivalent script:

  $oUser = SearchAD -ADSearchBase $RootDSE.defaultNamingContext `
        -ADFilter "(&(objectClass=user)(objectcategory=person)(sAMAccountName=$($env:username)))" `
        -ADProperties "distinguishedname", "displayname", "samAccountName", "useraccountcontrol", "objectGUID", "PwdLastSet"
   
  $PwdLastSet = ([DateTime]::FromFileTime([Int64]::Parse($oUser.Properties["pwdlastset"])))
  $UF = [int32]$oUser.Properties["useraccountcontrol"][0]
  $bSmartCard = ($UF -bor 0x40000) -eq $UF
  $bExpiresPassword = ($UF -bor 0x10000) -eq $UF
   
  $pwdAge = (get-date) - $pwdLastSet
  $OutBox.AppendText("   --> DistinguishedName           : $($oUser.Properties["distinguishedname"])`n")
  $OutBox.AppendText("   --> DisplayName                 : $($oUser.Properties["displayname"])`n")
  $OutBox.AppendText("   --> Password expires            : $($bExpiresPassword)`n")
  $OutBox.AppendText("   --> Requires SmartCard          : $($bSmartCard)`n")
  $OutBox.AppendText("   --> Password date        (UTC)  : $($pwdLastSet)`n")
  $OutBox.AppendText("   --> Password age                : $($pwdAge.Days) Days $($pwdAge.Hours) Hours $($pwdAge.Minutes) Mn

11 thoughts on “Authenticating users with smartcard and login/password”

  1. I loved as much as you’ll receive carried out right here.

    The sketch is attractive, your authored material stylish.
    nonetheless, you command get bought an nervousness over that you wish be delivering the following.
    unwell unquestionably come further formerly again as exactly the
    same nearly a lot often inside case you shield this increase.

    Visit my web site :: special

  2. Its like you read my mind! You appear to know so much about this, like you wrote the book in it or something. I think that you can do with some pics to drive the message home a little bit, but instead of that, this is magnificent blog. An excellent read. I’ll certainly be back.

  3. Hi, Neat post. There’s a problem along with your web site in internet explorer, could check this? IE still is the marketplace leader and a big part of people will leave out your fantastic writing due to this problem.

  4. I have been surfing online more than 2 hours today, yet I never found any interesting article like yours. It’s pretty worth enough for me. In my view, if all webmasters and bloggers made good content as you did, the internet will be a lot more useful than ever before.

  5. Hello there, You have done a fantastic job. I will certainly digg it and personally suggest to my friends. I’m confident they will be benefited from this website.

  6. I’ll immediately grab your rss as I can’t to find your e-mail subscription hyperlink or e-newsletter service. Do you have any? Please permit me recognise in order that I may subscribe. Thanks.

  7. Pingback: active directory smart card login - levelonoir.fr

  8. Pingback: codetwo login - playsquare.tv

Leave a Comment

Your email address will not be published. Required fields are marked *