Q. Is there a way to provide graded authentication on the Windows platform? We'd like to give users access to confidential file server resources only after they go through a successful smart card-based Windows authentication sequence.

 A. Graded authentication is a mechanism that determines access to resources by not only verifying the credentials a user provides, but also by checking the authentication protocol or method that's used to log on to the Windows. Windows supports graded authentication through the new authentication mechanism assurance feature that Microsoft includes in the Windows Server 2008 R2 OS.

Authentication mechanism assurance lets network resource administrators control access to resources based on whether the user logs on using a certificate- or smart card-based logon and based on the type of certificate that was used. For example, when a user logs on using a smart card, the user's access to resources on the network can be different from the access he gets when he logs on using a plain username and password.

Authentication mechanism assurance uses a group that Windows automatically adds to a user's Kerberos token when the user authenticates using a smart card or a certificate-based logon method. It also uses a mapping that's defined between this group and an issuance policy that's contained in the certificate that's used for authentication. The group's membership is dynamic and changes depending on which users have logged on using a particular certificate. Administrators can then use this group to set specific permissions on file server resources.

Authentication mechanism assurance is only available when your Active Directory (AD) domain functional level is set to Windows Server 2008 R2. Before you can use authentication mechanism assurance, you must also define certificate templates with specific issuance policy extensions, issue user certificates based on these custom templates, create AD groups, map the issuance policies to groups, and set access control on your resources using these groups. For mapping the issuance policies to groups you can use Powershell and cmdlets. Sample PS scripts and more detailed information on how to get your AD environment ready for Authentication Mechanism Assurance are available in the authentication mechanism assurance step-by-step guide.