Implementing Web Single Sign On With Windows CardSpace

Passwords have always been somewhat of a challenge for help desk staff. Normally, resetting a user’s password isn’t a huge deal. The problem is that help desk personnel are often asked to reset an excessive number of passwords each day, which takes time away from helping those who have more serious problems. Further compounding the problem is the fact that so many Web sites require passwords for access. Many times Web sites that users rely upon to get their jobs done are not owned by the company, and are therefore out of the company’s control. Even so, the end users still expect the help desk staff to be able to reset the passwords on these Web sites.

Fortunately, Windows Vista contains a new component that might be able to help with these problems; Windows CardSpace. The idea behind Windows CardSpace is that it allows users to create a sort of virtual business card which contains the same types of personal information that they would normally have to enter when making an online purchase (credit card numbers are not included except with some managed cards, which I will talk about later). Web sites can be configured to ask users for their card rather than requiring them to enter a username and password. This works in the user’s favor, because not only do they not have to remember a password for each Web site, the card keeps them from having to manually enter their information onto each Web site.

To access Windows CardSpace, open the Control Panel and click on the User Accounts link, followed by the Windows CardSpace link. When you do, Windows will display an introductory screen that tells you a little bit about what Windows CardSpace does. Click OK to clear the screen and you’ll be taken to the main Windows CardSpace screen.

By default, Windows CardSpace has no existing cards, so you will have to create one from scratch. To do so, click the Add a Card link. You will now be prompted as to whether you would like to create a personal card or a managed card.

Personal cards are general-purpose information cards. They allow you to enter your information and then stores the information on your hard disk in encrypted format. Because the personal card is general-purpose in nature, you can create a single card that can be used with the many different websites.

Managed cards are site specific. The primary difference between managed cards and personal cards is that managed cards are issued by the site on which they are to be used. Typically, if a site issues a managed card the card will contain information specific to interacting with the site that issued it.  For example, a managed card might contain your shipping address and credit card number.

Creating a Card

To demonstrate how Windows CardSpace  works, let’s create a personal card. To do so, click the Create a Personal Card link. When you do, Windows will display a form for you to fill out. Unfortunately, Windows Vista locks down the rest of the operating system while you are interacting with Windows CardSpace (this is a security precaution). This means that it is impossible for me to capture a screen shot of what this form looks like. Therefore, I will just describe the form to you.

The first section that you will have to fill out is the Card Properties section. Primarily this means giving the card a unique name, but you can also assign an image to the card. The image is optional, but I have seen people use their own picture or the logo to a specific website as the card’s image.

The next section of the screen involves filling in the information that can be sent to various websites by using the card. This section contains fields that you would typically have to manually fill out while shopping online. The fields include: first name, last name, e-mail address, street, city, state, postal code, country/region, home phone number, other phone number, mobile phone number, date of birth, gender, and the URL to your website.

When you have finished filling in the card data, click the Save button and your card will be created.

A Word About Security

From a security perspective it is probably a bit disturbing to think about a user’s personal information sitting on the workstation hard drive, even if the data is encrypted. Fortunately, this data is relatively secure. Not only is the card data encrypted on the hard drive, it becomes a part of the user’s profile which means that no one can access the data unless they are logged in as the user who created the card.

As an additional security measure, users can lock cards to prevent data from being accidentally disclosed. To lock the card, simply select it from the main Windows CardSpace screen and then click the Preview button. At this point, Windows will display a screen containing all of the information stored on the card. To the right of this information there are several links that you can use for various card maintenance purposes. One of these links is the Lock Card link. By using this link users can assign a PIN to the card.

A PIN can consist of any combination of numbers, letters, or symbols. Windows does not require users to use a PIN, but if a PIN is used it must be at least four characters in length. Microsoft recommends however that PINs have a minimum of eight characters.

Of course this brings up the question of what happens if a user forgets their PIN. If a PIN is forgotten, there is no way for the helpdesk to reset the PIN. In such a situation, the user would have to delete the card with the forgotten PIN and recreate it.

Moving CardSpace Cards

Earlier I mentioned that CardSpace cards become a part of a user’s profile. So what happens if a user moves to a different machine and roaming profiles are not in use? A user can easily transfer their cards to a new machine by performing a simple backup and restore procedure. Of course backing up cards is a good idea even if the user is not planning on switching machines.

The main Windows CardSpace screen contains links for backing up and restoring cards. Both procedures are extremely simple and the only information that the user is required to enter is the location that they want to backup to / restore from and which cards they want to backup or restore.


In this article, I have discussed some techniques for creating and maintaining Windows CardSpace cards. You might have noticed that I never talked about how to use the cards with your favorite Web site. The reason for this is that a Web site must be specifically designed to accept CardSpace cards. At the current time there aren’t many CardSpace aware Web sites. As time goes on and Vista becomes more heavily adopted, I expect CardSpace to gain much more popularity.

Windows CardSpace Site

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top