{"id":92,"date":"2008-10-25T21:06:00","date_gmt":"2008-10-25T18:06:00","guid":{"rendered":"http:\/\/www.borayildiz.com\/?p=92"},"modified":"2019-03-08T20:42:37","modified_gmt":"2019-03-08T17:42:37","slug":"","status":"publish","type":"post","link":"https:\/\/www.borayildiz.com\/blog\/en\/windows-server-2003-uzerinde-smart-card-logon-sorunu.html","title":{"rendered":"","raw":""},"content":{"rendered":"","protected":false,"raw":""},"excerpt":{"rendered":"","protected":false,"raw":""},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_en_post_content":"","_en_post_name":"","_en_post_excerpt":"","_en_post_title":"","_tr_post_content":"Smart card kimlik do\u011frulama ve\/veya oturum a\u00e7ma i\u015flemlerinde g\u00fcvenlik artt\u0131rmak i\u00e7in kullan\u0131lan bir teknolojidir. Ancak bu teknolojinin bize sa\u011flad\u0131\u011f\u0131 konfor ve g\u00fcven beklenmedik hatalarda kar\u015f\u0131m\u0131za bir kabus olarak da \u00e7\u0131kabiliyor. \u00d6rnek vermek gerekirse smart card ile korunan bir domain controller veya domain \u00fcyesi herhangi bir server \u00fczerinde oturum a\u00e7mak i\u00e7in kulland\u0131\u011f\u0131n\u0131z smart card kay\u0131p veya k\u0131r\u0131ld\u0131 ve acil olarak oturum a\u00e7man\u0131z gerekiyor. Sistem \u00fczerinde mevcut smart card logon ile ilgili policy yi de\u011fi\u015ftirmeye yetkili bir ba\u015fka hesap da yok. Mevcut senaryoya bak\u0131nca ger\u00e7ekten zor bir durum. Bunun gibi veya benzer senaryolar\u0131 \u00e7e\u015fitlendirebiliriz.\n\nBen yaz\u0131mda domain controller \u00fczerinden smart card policy' lerini de\u011fi\u015ftirerek smart card kullanmadan tekrar domain controller \u00fczerinde nas\u0131l oturum a\u00e7abilece\u011fimizi anlatmaya \u00e7al\u0131\u015faca\u011f\u0131m.\n\nDefault Domain Policy' yi editlemek i\u00e7in Active Directory Users and Computer penceresini a\u00e7\u0131yorum.\n\n![\"\"](\"http:\/\/documents.borayildiz.com\/resimler\/makale\/smartcard\/01.JPG\")
\n\n\u015eekil-1: Uygulamak istedi\u011fim policy' den t\u00fcm domain' in etkilenmesini istiyorum. Domain ad\u0131na sa\u011f t\u0131klayarak \u00f6zellikler' i t\u0131kl\u0131yorum.\n\n![\"\"](\"http:\/\/documents.borayildiz.com\/resimler\/makale\/smartcard\/02.JPG\")
\n\n\u015eekil-2: A\u00e7\u0131lan pencereden Group Policy sekmesine gelip \"edit\" e t\u0131kl\u0131yorum.\n\n![\"\"](\"http:\/\/documents.borayildiz.com\/resimler\/makale\/smartcard\/03.JPG\")
\n\n\u015eekil-3: Group Policy Object Editor penceresinde ilk \u00f6nce Default Domain Policy\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options alt\u0131nda bulunan \"Interactive logon:Require smart card\" a \u00e7ift t\u0131kl\u0131yorum.\n\n![\"\"](\"http:\/\/documents.borayildiz.com\/resimler\/makale\/smartcard\/04.JPG\")
\n\n\u015eekil-4: A\u00e7\u0131lan pencerede \"Define this policy setting\" i i\u015faretleyip \"enabled\" i se\u00e7iyorum ve \"OK\" ile se\u00e7imi onayl\u0131yorum.\n\n![\"\"](\"http:\/\/documents.borayildiz.com\/resimler\/makale\/smartcard\/05.JPG\")
\n\n\u015eekil-5: Daha sonra Group Policy Object Editor penceresinde yine Default Domain Policy\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options alt\u0131nda bulunan \"Interactive logon: Smart card removal behaviour\" a \u00e7ift t\u0131kl\u0131yorum.\n\n![\"\"](\"http:\/\/documents.borayildiz.com\/resimler\/makale\/smartcard\/06.JPG\")
\n\n\u015eekil-6: A\u00e7\u0131lan pencerede \"Define this policy setting\" i i\u015faretleyip \"Lock Workstation\" \u0131 se\u00e7iyorum \"OK\" ile se\u00e7imi onayl\u0131yorum.\n\n![\"\"](\"http:\/\/documents.borayildiz.com\/resimler\/makale\/smartcard\/07.JPG\")
\n\n\u015eekil-7: Group Policy sekmesini kapatmadan \u00f6nce \"Properties\" i t\u0131kl\u0131yorum.\n\n![\"\"](\"http:\/\/documents.borayildiz.com\/resimler\/makale\/smartcard\/08.JPG\")
\n\n\u015eekil-8: Uygulamaya \u00e7al\u0131\u015ft\u0131\u011f\u0131m policy' nin \"Unique name\" i not al\u0131yorum. {31B2F340-016D-11D2-945F-00C04FB984F9}\n\n![\"\"](\"http:\/\/documents.borayildiz.com\/resimler\/makale\/smartcard\/09.JPG\")
\n\n\u015eekil-9: \u00dczerinde \u00e7al\u0131\u015ft\u0131\u011f\u0131m Domain Controller' \u0131n policy' yi almas\u0131 i\u00e7in \"gpupdate \/force\" komutunu \u00e7al\u0131\u015ft\u0131r\u0131yorum. B\u00f6ylece policy ile belirledi\u011fimiz de\u011fi\u015fikliklerin registry' ye yaz\u0131lmas\u0131n\u0131 sa\u011fl\u0131yorum.\n\n![\"\"](\"http:\/\/documents.borayildiz.com\/resimler\/makale\/smartcard\/10.JPG\")
\n\n\u015eekil-10: Domain controller \u00fczerinde logoff olup tekrar logon olmaya \u00e7al\u0131\u015ft\u0131\u011f\u0131mda \u015fekildeki bekledi\u011fim hatay\u0131 al\u0131yorum.\n\n![\"\"](\"http:\/\/documents.borayildiz.com\/resimler\/makale\/smartcard\/11.JPG\")
\n\n\u015eekil-11: ERD Commander CD' sini tak\u0131p domain conrtoller' \u0131 CD' den boot ediyorum. C:\\WINDOWS\\SYSVOL\\sysvol\\deneme.com\\Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\MACHINE\\Microsoft\\Windows NT\\SecEdit Klas\u00f6r\u00fc alt\u0131nda bulunan GptTmpl.inf dosyas\u0131n\u0131 a\u00e7\u0131yorum. Not: C:\\WINDOWS\\SYSVOL\\sysvol\\deneme.com\\Policies\\ alt\u0131nda bulunan {31B2F340-016D-11D2-945F-00C04FB984F9} klas\u00f6r\u00fc ayn\u0131 zamanda benim de\u011fi\u015ftirdi\u011fim policy' nin \"Unique name\" i.\n\n![\"\"](\"http:\/\/documents.borayildiz.com\/resimler\/makale\/smartcard\/12.JPG\")
\n\n\u015eekil-12: Daha sonra ERD Commander' \u0131n run sat\u0131r\u0131na \"erdregedit\" yazarak registry editor\u00fc a\u00e7\u0131yorum.\n\n![\"\"](\"http:\/\/documents.borayildiz.com\/resimler\/makale\/smartcard\/13.JPG\")
\n\n\u015eekil-13: \u00d6ncelikli olarak domain alt\u0131nda bulunan tek makina olan domain controller' \u0131n registry' sine policy ile yaz\u0131lan de\u011ferleri kald\u0131rmakla i\u015fe ba\u015fl\u0131yorum HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersiyon\\Winlogon alt\u0131nda bulunan scremoveoption de\u011ferini siliyorum. Bu \"Interactive logon: Smart card removal behaviour\" policy ayar\u0131n\u0131n registry' ye yazd\u0131\u011f\u0131 de\u011fer.\n\n![\"\"](\"http:\/\/documents.borayildiz.com\/resimler\/makale\/smartcard\/14.JPG\")
\n\n\u015eekil-14: Daha sonra \"Interactive logon:Require smart card\" policy ile registry' ye yazd\u0131\u011f\u0131m\u0131z de\u011fer olan HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\system alt\u0131nda bulunan scforceoption de\u011ferini \"0\" (s\u0131f\u0131r) olarak de\u011fi\u015ftiriyoruz.\n\n![\"\"](\"http:\/\/documents.borayildiz.com\/resimler\/makale\/smartcard\/15.JPG\")
\n\n\u015eekil-15: Son olarak C:\\WINDOWS\\SYSVOL\\sysvol\\deneme.com\\Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\MACHINE\\Microsoft\\Windows NT\\SecEdit alt\u0131nda bulunan GptTmpl.inf dosyam\u0131za d\u00f6n\u00fcyoruz. [Registry Values] de\u011feri alt\u0131nda bulunan MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ScRemoveOption=1,\"1\" sat\u0131r\u0131n\u0131 siliyoruz.\n\n![\"\"](\"http:\/\/documents.borayildiz.com\/resimler\/makale\/smartcard\/16.JPG\")
\n\n\u015eekil-16: Ve dosya i\u00e7eri\u011fi bu \u015fekli al\u0131yor.\n\n![\"\"](\"http:\/\/documents.borayildiz.com\/resimler\/makale\/smartcard\/17.JPG\")
\n\n\u015eekil-17: Yine GptTmpl.inf dosyas\u0131 i\u00e7inde [Registry Values] alt\u0131nda bulunan \"MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ScforceOption=4,1\" sat\u0131r\u0131n\u0131n sonunda bulunan 1 de\u011ferini 0 (s\u0131f\u0131r) ile de\u011fi\u015ftiriyoruz ve dosyam\u0131z son halini al\u0131yor. Dosyam\u0131z\u0131 kaydedip \u00e7\u0131k\u0131yoruz. Bu dosya i\u00e7er\u011fini de\u011fi\u015ftirerek registry \u00fczerinde smart card ile ilgili yapt\u0131\u011f\u0131m\u0131z de\u011fi\u015fikliklerin policy nin tekrar uygulanarak registry de\u011ferlerinde smart card logon' un enable olmamas\u0131 i\u00e7in yap\u0131yoruz.\n\n![\"\"](\"http:\/\/documents.borayildiz.com\/resimler\/makale\/smartcard\/18.JPG\")
\n\n\u015eekil-18: ERD Commander' \u0131n Start>Log off ad\u0131mlar\u0131n\u0131 izliyoruz.\n\n![\"\"](\"http:\/\/documents.borayildiz.com\/resimler\/makale\/smartcard\/19.JPG\")
\n\n\u015eekil-19: A\u00e7\u0131lan pencerede Restart' \u0131 se\u00e7iyoruz ve restart ile birlikte ERD CD' sini CD-ROM ' dan \u00e7\u0131kart\u0131yoruz.\n\n![\"\"](\"http:\/\/documents.borayildiz.com\/resimler\/makale\/smartcard\/20.JPG\")
\n\n\u015eekil-20: Kar\u015f\u0131m\u0131za Windows Server 2003 logon ekran\u0131 geliyor. Domain controller \u00fczerinde ilk logoff oldu\u011fumuzda smart card hatas\u0131 vermi\u015fti. \u015eifremizi yaz\u0131p devam ediyoruz.\n\n![\"\"](\"http:\/\/documents.borayildiz.com\/resimler\/makale\/smartcard\/21.JPG\")
\n\n\u015eekil-21: Kar\u015f\u0131lama olarak \"Shutdown Event Tracker\" \u0131 g\u00f6r\u00fcyoruz. Logon ekran\u0131nda kalm\u0131\u015ft\u0131k ve server' d\u00fczg\u00fcn kapatmam\u0131\u015ft\u0131k.\n\n![\"\"](\"http:\/\/documents.borayildiz.com\/resimler\/makale\/smartcard\/22.JPG\")
\n\n\u015eekil-22: Vee sonunda oturumumuz a\u00e7\u0131l\u0131yor.,\n\n![\"\"](\"http:\/\/documents.borayildiz.com\/resimler\/makale\/smartcard\/23.JPG\")
\n\n\u015eekil-23: Masa\u00fcst\u00fc kar\u015f\u0131m\u0131zda.\n\nYapt\u0131\u011f\u0131m\u0131z i\u015flemleri 2 ana b\u00f6l\u00fcmde toplayabiliriz.\n\n\u0130lk b\u00f6l\u00fcm olarak policy uygulanan makinan\u0131n local ayarlar\u0131na yani registry ye d\u0131\u015far\u0131dan m\u00fcdahale ederek policy ile yap\u0131lan de\u011fi\u015fiklikleri geri almak.\n\n\u0130kinci b\u00f6l\u00fcm olarak ise makinaya uygulanan policy' de sadece smart card ile ilgili olan b\u00f6l\u00fcm\u00fc de\u011fi\u015ftirerek registry' de yapt\u0131\u011f\u0131m\u0131z de\u011fi\u015fikliklerin kal\u0131c\u0131 olmas\u0131n\u0131 sa\u011flamak. Makinaya uygulanan t\u00fcm policy' yi tamamen s\u0131f\u0131rlamak yerine bize logon' da sorun \u00e7\u0131karan smart card b\u00f6l\u00fcm\u00fcn\u00fc de\u011fi\u015ftirmi\u015f olduk.","_tr_post_name":"windows-server-2003-uzerinde-smart-card-logon-sorunu","_tr_post_excerpt":"","_tr_post_title":"Windows Server 2003 \u00fczerinde Smart Card logon sorunu","edit_language":"en"},"categories":[13],"tags":[67,312,357,358,408,409,538,1598,633,634,748,749,1033,1034,1076,1077,1078,1087,1145,1156,1213,1214,1215,1285,1374,1495],"_links":{"self":[{"href":"https:\/\/www.borayildiz.com\/blog\/en\/wp-json\/wp\/v2\/posts\/92"}],"collection":[{"href":"https:\/\/www.borayildiz.com\/blog\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.borayildiz.com\/blog\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.borayildiz.com\/blog\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.borayildiz.com\/blog\/en\/wp-json\/wp\/v2\/comments?post=92"}],"version-history":[{"count":1,"href":"https:\/\/www.borayildiz.com\/blog\/en\/wp-json\/wp\/v2\/posts\/92\/revisions"}],"predecessor-version":[{"id":1158,"href":"https:\/\/www.borayildiz.com\/blog\/en\/wp-json\/wp\/v2\/posts\/92\/revisions\/1158"}],"wp:attachment":[{"href":"https:\/\/www.borayildiz.com\/blog\/en\/wp-json\/wp\/v2\/media?parent=92"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.borayildiz.com\/blog\/en\/wp-json\/wp\/v2\/categories?post=92"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.borayildiz.com\/blog\/en\/wp-json\/wp\/v2\/tags?post=92"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}