smart card removal

[sleekmountaincat]

hello,

i have a 2008 terminal server which is a member of an AD domain. i am trying to setup access via smartcards. logon works great, however, i need the session to disconnect when a smartcard is removed. i have set the 'Interactive logon: Smart card removal behavior' policy locally using the local computer group policy mmc. there are no conflicting AD group policies. i get the expected behavior maybe 20% percent of the time, the rest of the time removing a smart card has no effect. i have tried multiple readers and cards. the client computers i have tested with are xp sp3, and a thin client running rdesktop on top of thinstation (open source thinclient linux os). both clients exhibit same behavior. i can not reproduce the unexpected behavior, it seems to just work occasionally, and fail most of the time. i can not find any events, errors or otherwise, relating to smartcard removal in event viewer. the 'Smart Card' and 'Smart Card Removal Policy' services are started and set to automatic.

ANY help would be greatly appreciated. thanks for your time,

chris

[Mr Snrub]

Hmm, not heard of any problems like that with the Smart Card Removal service... but then I've only seen it first-hand using Windows 7 clients to a W2K8R2 RDS server.

Is the problem specific to the action specified (disconnect)?

I would test the lock workstation and force logoff options to see if it is just the "smart card went bye-bye" event that isn't coming from the clients' redirected smart card devices, as a starting point.

Is there anything consistent about when it works vs when it doesn't work?

(Such as, it works if the user logs on using the smart card and then pulls it, but not if they reconnect to an existing session first.)

The Smart Card Removal Policy service is responsible for enforcing the action specified when a smart card is removed from a session that used it for authentication, and the Smart Card service (IIRC) is the one that retains the session/smart card information.

If the latter is restarted when sessions are active, they won't be able to associate a smart card removal event with a session for the Smart Card Removal Policy service to be told to take action.

Any reason you chose to configure it through a local policy rather than a GPO aimed at the TS server(s)?

Not really much help there, sorry, but food for thought at least.