问题
I have created a EFI Pre-Boot Application were in I enter the user credentials which are passed to windows to logon (Single Sign On) using my credential provider.
I have a Group policy "Interactive logon: Smart card removal behavior" set to "Lock Workstation: The workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session."
So if I reboot the machine and use login using my credential provider, then the Group policy is not enforced when I remove the Smart Card. But if I lock and unlock the machine and then remove the smart card, Group policy works and machine gets locked.
As per this article https://blogs.technet.microsoft.com/instan/2010/03/08/deconstructing-the-smartcard-removal-policy-service/ I can see that registry entry is NOT created under \HKLM\Software\Microsoft\Windows NT\CurrentVersion\Removal Policy when I logon using smartcard SSO (my custom credential provider).
So my question was, am I missing something in my credential provider ? Do I have to call any API from my credential provider to make GPO work or do I have to implement the corresponding logic in my credential provider so that GPO is enforced by Smartcard Removal Service ?
回答1:
Before starting service you must prepare registry values for it.
- Parameter in the registry path
SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Removal Policy - It's name must be logon session id (text '0', '1' etc.)
- Value is binary combination of SmartCard Reader Name and it's status (as noted in article).
In my case it is look like this:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Removal Policy]
"1"=hex:41,00,4b,00,53,00,20,00,69,00,66,00,64,00,68,00,20,00,30,00,00,00,00,00,1f,00
It is decoded as Unicode string "AKS ifdh 0" with NULL terminator and DWORD value 0x00190000, where 0x0019 is insertion and removal count of smart-card into reader since boot.
来源:https://stackoverflow.com/questions/53074177/smart-card-removal-policy-is-not-enforced-when-performing-sso-using-custom-crede