Disclaimer: All postings are provided "AS IS" with no warranties, and confer no rights. This weblog does not represent the thoughts, intentions, plans or strategies of Microsoft. Because a weblog is intended to provide a semi-permanent point-in-time snapshot, you should not consider out of date posts to reflect current thoughts and opinions.

The Smartcard Removal Policy Service and VPN

A Technet Blog

AD Troubleshooting

The Smartcard Removal Policy Service and VPN

Rate This

Ingolfur Arnar Stangeland

4 May 2010 7:47 AM

Comments 2

Microsoft Windows Server 2008 R2 Operating System

The ScPolicySvc service works by monitoring a specific registry key (See Deconstructing the Smartcard Removal Policy Service).

The VPN client (Connection Manager aka CM) on the other hand doesn’t use the Credential Provider architecture, it uses its own code for picking which certificate from the smartcard will be used for logon.

The VPN component not using CredUI or LogonUI has two side-effects:

The Smartcard Removal Policy Service doesn’t monitor logons made with the VPN client as the registry key isn’t touched when the VPN logon occurs
The user logging on doesn’t get to pick which smartcard certificate will be used for the VPN connection – the VPN components does a simple certificate selection and picks the smartcard logon certificate in the default container (usually the last certificate enrolled for).

How to Support Smart Card Logon for Remote Access VPN Connections
http://technet.microsoft.com/en-us/library/cc875840.aspx

Deconstructing the Smartcard Removal Policy Service:
http://blogs.technet.com/instan/archive/2010/03/08/deconstructing-the-smartcard-removal-service.aspx

Where Is “Logon Using Dial-Up Connections” in Windows Vista?
http://blogs.technet.com/grouppolicy/archive/2007/07/30/where-is-logon-using-dial-up-connections-in-windows-vista.aspx

Troubleshooting Active Directory, Smartcards, Windows 7 / W2k8 R2

Comments

Valts

29 Mar 2012 10:08 AM

Can You help with Smart Card Removal Policy service

i have Domain with SBS 2011 server ; Lenovo ThinkCentre Edge71 computer with Windows 7 PRo 64 bit

i have 2 the same computers. On one install smart card reader and smart card drivers( Gemalto .net card )

login in domain with smart card work fine !

on other i'm not install card reader and smart card ( Gemalto .net )

But Smart Card Removal Policy service not start up ( on both computers )!

message : Smart Card Removal Policy service on Local Computer started and then stopped.
Ingolfur Arnar Stangeland

8 May 2012 3:54 AM

This sounds like you haven't set the ScRemoveOption registry key for the Smartcard Removal Policy service.

You need to set it to either (Lock/Logoff/Disconnect) if you want to use the service - see the link at the top of the page.

If the service starts up and finds that the registry key isn't set it stops again as it doesn't have anything to do in that case.