"Prevent plaintext PINs from being returned by credential manager"

Discussion in 'Server Security' started by Egil Martinsen, Mar 30, 2009.

  1. Hello,

    I have three questions regarding the GPO setting "Prevent plaintext PINs
    from being returned by credential manager" do? It is found under Computer
    Configuration -> .. -> ADMX -> Windows Components -> Smartcard.

    1. The explanation found in the group policy editor states that: "If you
    enable this setting, credential manager does not return a plaintext PIN". The
    question is then: To whom will it not return a plaintext PIN? To the LSA? To
    the BaseCSP? To a random user asking for it?

    2. When this setting is enabled, what encryption algorithm is used on the
    PIN, and what key is used?

    3. When this setting is enabled, smartcard login works fine. However,
    smartcard enrollment does not work - when enrolling, the following message is
    displayed after entering the smartcard PIN the first time in the enrollment
    process: "Computer Policy prohibits performing this operation because the
    card does not support the required level of security".
    The question is: Why does login work with this setting, but not signing?

    Thank you very much!
    Egil Martinsen, Mar 30, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.
Similar Threads
There are no similar threads yet.