In an Active Directory domain, you can log on by using certificates from a smart card. When you log on to a computer in the domain, but you cannot contact a domain controller, you are logged on by using cached credentials if the credentials are available. When you change the PIN on another computer or by using a third-party tool that does not notify the system of a PIN change, the computer cannot update the cached credentials with the new PIN.
To connect to network resources, the application has to log on by using your credentials. When you use smart cards, the computer uses the Kerberos protocol to authenticate. If the computer has a valid ticket-granting ticket (TGT), the computer can access resources without accessing the smart card.
If the computer does not have a valid TGT, the computer has to obtain a TGT from a domain controller. This action requires access to the smart card. However, because the PIN has been changed, the cached PIN does not work. Therefore, Kerberos returns a wrong PIN status to the application. Kerberos then sends the notification that you must update the cached PIN by locking and unlocking the desktop. If the application continues to try to connect, if the application tries to connect to multiple resources, or if other applications try to connect to new resources, the smart card is locked if it is in the reader.
You can use the
LockWorkStation function to lock the computer.
Notes- You must log on to the computer before you use this function.
- You can use this function on the following Windows operating systems to lock the computer automatically:
- Windows Server 2003
- Windows XP
- Windows Vista
- Windows Server 2008
- You must use the new PIN to unlock the computer.
- For more information about the LockWorkStation function, visit the following Web site: