Article ID: 958281 - View products that this article applies to.
Consider the following scenario:
Note This issue also occurs in Windows Vista and in Windows Server 2008. In Windows Vista and in Windows Server 2008, you receive the following notification:
This problem occurs because the computer cannot update the cached credentials with the new PIN when you change the PIN on your smart card by using a third-party tool. Therefore, when the applications on your computer try to access network resources, the smart card is locked.
To work around this issue, follow these steps:
In an Active Directory domain, you can log on by using certificates from a smart card. When you log on to a computer in the domain, but you cannot contact a domain controller, you are logged on by using cached credentials if the credentials are available. When you change the PIN on another computer or by using a third-party tool that does not notify the system of a PIN change, the computer cannot update the cached credentials with the new PIN.
To connect to network resources, the application has to log on by using your credentials. When you use smart cards, the computer uses the Kerberos protocol to authenticate. If the computer has a valid ticket-granting ticket (TGT), the computer can access resources without accessing the smart card.
If the computer does not have a valid TGT, the computer has to obtain a TGT from a domain controller. This action requires access to the smart card. However, because the PIN has been changed, the cached PIN does not work. Therefore, Kerberos returns a wrong PIN status to the application. Kerberos then sends the notification that you must update the cached PIN by locking and unlocking the desktop. If the application continues to try to connect, if the application tries to connect to multiple resources, or if other applications try to connect to new resources, the smart card is locked if it is in the reader.
You can use the LockWorkStation function to lock the computer.
Article ID: 958281 - Last Review: November 3, 2008 - Revision: 1.0
Contact us for more help