Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

The smart card is locked after you change the smart card PIN for a Windows XP, Windows Vista, or Windows Server 2008-based computer


View products that this article applies to.

Symptoms

Consider the following scenario:
  1. In the Active Directory domain network, you issue a smart card certificate to a smart card.
  2. You use the smart card to log on a Windows XP-based computer that has joined the domain.
  3. You use a third-party tool to change the smart card PIN. You leave your smart card in the reader.
In this scenario, when the applications on your computer try to access network resources, the smart card is locked.

Note This issue also occurs in Windows Vista and in Windows Server 2008. In Windows Vista and in Windows Server 2008, you receive the following notification:
Windows needs your current credentials Please lock this computer, then unlock it using your most recent password or smart card

↑ Back to the top


Cause

This problem occurs because the computer cannot update the cached credentials with the new PIN when you change the PIN on your smart card by using a third-party tool. Therefore, when the applications on your computer try to access network resources, the smart card is locked.

↑ Back to the top


Workaround

To work around this issue, follow these steps:
  1. Use the tool that the smart card vendor provides to unblock the smart card.
  2. After you change the smart card PIN, lock and then unlock the computer by using the new PIN so that the smart card is not locked out.

↑ Back to the top


Status

This behavior is by design.

↑ Back to the top


More information

In an Active Directory domain, you can log on by using certificates from a smart card. When you log on to a computer in the domain, but you cannot contact a domain controller, you are logged on by using cached credentials if the credentials are available. When you change the PIN on another computer or by using a third-party tool that does not notify the system of a PIN change, the computer cannot update the cached credentials with the new PIN.

To connect to network resources, the application has to log on by using your credentials. When you use smart cards, the computer uses the Kerberos protocol to authenticate. If the computer has a valid ticket-granting ticket (TGT), the computer can access resources without accessing the smart card.

If the computer does not have a valid TGT, the computer has to obtain a TGT from a domain controller. This action requires access to the smart card. However, because the PIN has been changed, the cached PIN does not work. Therefore, Kerberos returns a wrong PIN status to the application. Kerberos then sends the notification that you must update the cached PIN by locking and unlocking the desktop. If the application continues to try to connect, if the application tries to connect to multiple resources, or if other applications try to connect to new resources, the smart card is locked if it is in the reader.

You can use the LockWorkStation function to lock the computer.

Notes
  • You must log on to the computer before you use this function.
  • You can use this function on the following Windows operating systems to lock the computer automatically:
    • Windows Server 2003
    • Windows XP
    • Windows Vista
    • Windows Server 2008
  • You must use the new PIN to unlock the computer.
  • For more information about the LockWorkStation function, visit the following Web site:

↑ Back to the top


Keywords: kbtshoot, kbexpertiseinter, kbprb, KB958281

↑ Back to the top

Article Info
Article ID : 958281
Revision : 1
Created on : 11/3/2008
Published on : 11/3/2008
Exists online : False
Views : 368