In the Active Directory domain network, you issue a smart card certificate to a smart card.
You use the smart card to log on a Windows XP-based computer that has joined the domain.
You use a third-party tool to change the smart card PIN. You leave your smart card in the reader.
In this scenario, when the applications on your computer try to access network resources, the smart card is locked.
Note This issue also occurs in Windows Vista and in Windows Server 2008. In Windows Vista and in Windows Server 2008, you receive the following notification:
Windows needs your current credentials Please lock this computer, then unlock it using your most recent password or smart card
This problem occurs because the computer cannot update the cached credentials with the new PIN when you change the PIN on your smart card by using a third-party tool. Therefore, when the applications on your computer try to access network resources, the smart card is locked.
To work around this issue, follow these steps:
Use the tool that the smart card vendor provides to unblock the smart card.
After you change the smart card PIN, lock and then unlock the computer by using the new PIN so that the smart card is not locked out.
This behavior is by design.
In an Active Directory domain, you can log on by using certificates from a smart card. When you log on to a computer in the domain, but you cannot contact a domain controller, you are logged on by using cached credentials if the credentials are available. When you change the PIN on another computer or by using a third-party tool that does not notify the system of a PIN change, the computer cannot update the cached credentials with the new PIN.
To connect to network resources, the application has to log on by using your credentials. When you use smart cards, the computer uses the Kerberos protocol to authenticate. If the computer has a valid ticket-granting ticket (TGT), the computer can access resources without accessing the smart card.
If the computer does not have a valid TGT, the computer has to obtain a TGT from a domain controller. This action requires access to the smart card. However, because the PIN has been changed, the cached PIN does not work. Therefore, Kerberos returns a wrong PIN status to the application. Kerberos then sends the notification that you must update the cached PIN by locking and unlocking the desktop. If the application continues to try to connect, if the application tries to connect to multiple resources, or if other applications try to connect to new resources, the smart card is locked if it is in the reader.
You can use the LockWorkStation function to lock the computer.
You must log on to the computer before you use this function.
You can use this function on the following Windows operating systems to lock the computer automatically:
Windows Server 2003
Windows Server 2008
You must use the new PIN to unlock the computer.
For more information about the LockWorkStation function, visit the following Web site:
Microsoft Windows XP Home Edition, Microsoft Windows XP Professional, Windows Vista Business, Windows Vista Enterprise, Windows Vista Home Premium, Windows Vista Ultimate, Windows Vista Business 64-bit Edition, Windows Vista Enterprise 64-bit Edition, Windows Vista Home Premium 64-bit Edition, Windows Vista Ultimate 64-bit Edition, Windows Server 2008 Datacenter without Hyper-V, Windows Server 2008 Enterprise without Hyper-V, Windows Server 2008 for Itanium-Based Systems, Windows Server 2008 Standard without Hyper-V, Windows Server 2008 Datacenter, Windows Server 2008 Enterprise, Windows Server 2008 Standard