pkcs11 sso (using prior windows login with smartcard)

Question

I wish to do the following:

1. Login or unlock my windows account with a smartcard (I know how). The smartcard prompts for PIN.

2. Then access a java software inside the account - and I want to use the same smartcard during its operation. However, I don't want it to prompt for PIN, but rather rely on the prior windows authentication.

Question: is this possible?

Thank you.

Answer 1

If you're allowed to patch your existing login procedures, perhaps its worth it to look at pGina (http://pgina.org/), as it is a modular replacement for the GINA part of Windows.

Answer 2

coming from Incorparating SSO in addition/instead SSL:

1. When sign in into Windows with your smartcard, it peforms a pkinit and obtains a Kerberos TGT for you.
2. When you access a further resource that TGT is used and a Kerberos service ticket is created. No smartcard cert involved.
3. However, if you want to use the the smartcard in your app, you perform client cert auth and not Kerberos therefore the app must prompt you for your PIN.