Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Smart card containing valid Windows logon certificates for more than one user identity is not supported


View products that this article applies to.

Symptoms

Consider the following scenario:

  • A smart card is configured by using two valid Windows logon certificates for two different user accounts (also known as security principals). One account is for User A and the other for User B. The accounts are protected by a single PIN.
  • The Windows logon certificates are implicitly mapped to different Active Directory accounts. That is, different Subject Alternative Name extensions of the Windows logon certificates contain different, but valid, User Principle Names.
  • You select the User A certificate and successfully log on to a computer as User A.
  • You lock the computer.
  • When you try to unlock the computer, User B’s certificate is selected unexpectedly. You expect to see User A’s certificate selected.
  • You enter the card’s PIN.

In this scenario, you receive the following error message:

To log on, you have to return to the logon screen and manually select or switch to User A’s certificate.

You may also experience other undefined scenarios. For example:

  • You are logged on by using one of the two certificates, you lock the workstation, and then you want to log on by using the other certificate. In this scenario, the system might take any of the following actions:
    • Present the tile for the currently logged-on user
    • Try to log on the other user
    • Present a screen from which you can select between the users
  • Two logon sessions are active, one for each certificate. When you insert the smart card, the computer behavior is undefined.

In addition to inconsistent and undefined behavior, be aware that having two accounts that are protected by a single smart card and PIN introduces risk and could compromise security between the accounts.

↑ Back to the top


Resolution

Windows does not support configuring Windows logon certificates for more than one user account or security principal on a single smart card.

You should use a dedicated smart card for each user account or security principal.

↑ Back to the top


Keywords: Smart card logon, User Logon and Smart Card logon, kbContentAuto, kbSupportTopic

↑ Back to the top

Article Info
Article ID : 4516576
Revision : 8
Created on : 8/22/2019
Published on : 8/22/2019
Exists online : False
Views : 456