Consider the following scenario:
- A smart card is configured by using two valid Windows logon certificates for two different user accounts (also known as security principals). One account is for User A and the other for User B. The accounts are protected by a single PIN.
- The Windows logon certificates are implicitly mapped to different Active Directory accounts. That is, different Subject Alternative Name extensions of the Windows logon certificates contain different, but valid, User Principle Names.
- You select the User A certificate and successfully log on to a computer as User A.
- You lock the computer.
- When you try to unlock the computer, User B’s certificate is selected unexpectedly. You expect to see User A’s certificate selected.
- You enter the card’s PIN.
In this scenario, you receive the following error message:
Only the signed-in user can unlock the computer.
To log on, you have to return to the logon screen and manually select or switch to User A’s certificate.
You may also experience other undefined scenarios. For example:
- You are logged on by using one of the two certificates, you lock the workstation, and then you want to log on by using the other certificate. In this scenario, the system might take any of the following actions:
- Present the tile for the currently logged-on user
- Try to log on the other user
- Present a screen from which you can select between the users
- Two logon sessions are active, one for each certificate. When you insert the smart card, the computer behavior is undefined.
In addition to inconsistent and undefined behavior, be aware that having two accounts that are protected by a single smart card and PIN introduces risk and could compromise security between the accounts.
Windows does not support configuring Windows logon certificates for more than one user account or security principal on a single smart card.
You should use a dedicated smart card for each user account or security principal.