AD Troubleshooting

AD and Domain-related issues and troubleshooting methods for Active Directory.

The Smartcard Removal Policy Service and VPN

The Smartcard Removal Policy Service and VPN

  • Comments 2
  • Likes

Microsoft Windows Server 2008 R2 Operating System

The ScPolicySvc service works by monitoring a specific registry key (See Deconstructing the Smartcard Removal Policy Service).

The VPN client (Connection Manager aka CM) on the other hand doesn’t use the Credential Provider architecture, it uses its own code for picking which certificate from the smartcard will be used for logon.

The VPN component not using CredUI or LogonUI has two side-effects:

  • The Smartcard Removal Policy Service doesn’t monitor logons made with the VPN client as the registry key isn’t touched when the VPN logon occurs
  • The user logging on doesn’t get to pick which smartcard certificate will be used for the VPN connection – the VPN components does a simple certificate selection and picks the smartcard logon certificate in the default container (usually the last certificate enrolled for).

How to Support Smart Card Logon for Remote Access VPN Connections
http://technet.microsoft.com/en-us/library/cc875840.aspx

Deconstructing the Smartcard Removal Policy Service:
http://blogs.technet.com/instan/archive/2010/03/08/deconstructing-the-smartcard-removal-service.aspx

Where Is “Logon Using Dial-Up Connections” in Windows Vista?
http://blogs.technet.com/grouppolicy/archive/2007/07/30/where-is-logon-using-dial-up-connections-in-windows-vista.aspx

Comments
  • Can You help with Smart Card Removal Policy service

    i have Domain with SBS 2011 server ;  Lenovo ThinkCentre Edge71 computer with Windows 7 PRo 64 bit

    i have 2 the same computers. On one install smart card reader and smart card drivers( Gemalto .net  card )

    login in domain with smart card work fine !

    on other i'm not install card reader and smart card ( Gemalto .net )

    But Smart Card Removal Policy service not start up  ( on both computers )!

    message : Smart Card Removal Policy service  on Local Computer started and then stopped.

  • This sounds like you haven't set the ScRemoveOption registry key for the Smartcard Removal Policy service.

    You need to set it to either (Lock/Logoff/Disconnect) if you want to use the service - see the link at the top of the page.

    If the service starts up and finds that the registry key isn't set it stops again as it doesn't have anything to do in that case.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment