Windows Server with smart card/CAC readers

[itguy12]

Good morning all. I have a very general question mainly because I don't know exactly what to ask I suppose.

I need to test smart card/reader functionality with Windows Server(either 03 or 08). For example, I want the server to log out of Windows when a card is removed from the reader. How do i go about setting up the server or domain to be able to do this? Thanks a lot for your help!

[cluberti]

With Server 2003 and Server 2008, doing this generally requires 3rd party security SSO software. It's a little easier with Server 2008 R2 environments (and the domain must be 2008 R2), but it's not 100% seamless:

http://technet.microsoft.com/en-us/library/dd378897(WS.10).aspx

http://blogs.technet.com/instan/archive/2010/01/15/enforce-smartcard-on-access-check-functionality-in-windows-2008-r2.aspx

http://technet.microsoft.com/en-us/library/dd367851(WS.10).aspx

You still need to consider an SSO solution if you want end-to-end smartcard logons for everything if you run legacy clients, but if you want to use a smart card for AD and security authentication, 2008 R2 domains/DCs can do it out of the box as long as the client is Windows 7 or Vista SP2. If you've got a mix, you will have to weigh the costs of upgrading to 2008 R2 and client OSes versus locking yourself into a different SSO solution.