Re: Smartcard removal not detected after login on Windows 2003 server

From: Eric Perlin [MS] (ericperl_at_online.microsoft.com)
Date: 10/22/04 

Date: Thu, 21 Oct 2004 15:15:59 -0700

1) Yes. Windows 2000 was overzealous with regards to the implementation of
the smartcard removal policy (removal of any card would trigger it, when the
intention was that only the removal of the card used for logon should).
Windows XP should already implement what I described below though.
There have been further enhancements for Windows 2003, especially around the
handling of cases where there is more than one reader on the machine. Bit I
don't believe they are relevant to this case.

2) Unfortunately, the flag that's tested when the SC removal is processed is
based on the SAS that was used at logon/unlock (CAD vs. SC insertion).
So the answer is "no". 

-- 
Eric Perlin [MS]
This posting is provided "AS IS" with no warranties, and confers no rights.
---
"Ian Stevenson" <ianstevenson@hotmail.com> wrote in message
news:b09efd78.0410182324.32b1b522@posting.google.com...
> Thanks heaps for the reply - I was about to assume no one had any
> ideas.
>
> But how come it works on Windows 2000 Server, Windows XP workstation
> (domain connected), but not Windows 2003? Is it because the GINA code
> has been 'fixed' for windows 2003?
>
> But the idea of it discarding the message does make sense, because
> I've found the code that we do at WlxLoggedOutSAS() to trick the GINA
> into thinking we're not logging in with smartcard. The code is as
> follows:
>
> ---------------------------------
> //
> // Prevent MSGINA from displaying the dialog box with only PIN
> password control,
> // i.e. this will force MSGINA to display the normal logon dialog box.
> //
> DWORD dwMySasType = dwSasType;
> if (dwMySasType == WLX_SAS_TYPE_SC_INSERT)
> {
>   dwMySasType = WLX_SAS_TYPE_CTRL_ALT_DEL;
> }
>
> iRet = pfWlxLoggedOutSAS(pWlxContext,
>   dwMySasType,
>   pAuthenticationId,
>   pLogonSid,
>   pdwOptions,
>   phToken,
>   pMprNotifyInfo,
>   pProfile);
> ---------------------------------
>
> You can see here that we are telling the GINA that we did not insert a
> smartcard, but actually just pressed CTRL-ALT-DEL. As a result it
> prompts us for username and password and we're able to do stop the
> smartcard dialog from happening.
>
> So could you please answer these questions:
> 1) Is this only happening on Windows 2003 because of some sort of fix
> to the GINA?
> 2) Is there anyway to still do the above code snippet, but then after
> the call to the GINA's WlxLoggedOutSAS (above as pfWlxLoggedOutSAS)
> tell it that we did log in with smartcard? (This is the important
> question.)
>
> Thanks for your help, I look forward to anything else you can tell me.
>
> Cheers,
> IS.
>
>
> "Eric Perlin [MS]" <ericperl@online.microsoft.com> wrote in message
news:<uEFfJuXtEHA.4040@TK2MSFTNGP09.phx.gbl>...
> > WLX_SAS_TYPE_SC_REMOVE is discarded by MSGina's version of
WlxLoggedOnSAS if
> > the smartcard wasn't used for logon/unlock.
> > -- 
> > Eric Perlin [MS]
> > This posting is provided "AS IS" with no warranties, and confers no
rights.
> > ---
> >
> > "Ian Stevenson" <ianstevenson@hotmail.com> wrote in message
> > news:b09efd78.0410112250.7351129c@posting.google.com...
> > > I have a gina hook that is having problems detecting smartcard removal
> > > after login. Let me elaborate.
> > >
> > > 1. I boot up the machine and am presented at the login SAS screen.
> > > 2. I insert smartcard and am taken to the login panel (because of the
> > > smartcard being inserted).
> > > 3. The log in panel is not the MS PIN only login panel, but the normal
> > > username/password one and it's been augumented slightly by us.
> > > 4. I do what's needed to log in and arrive happily at the desktop.
> > > 5. I remove the smartcard (and seeing I've done
> > > WlxSetOption(WLX_OPTION_USE_SMART_CARD, 1) and have an
> > > WLX_SAS_TYPE_SC_REMOVE message handler in WlxLoggedOnSAS()) I expect
> > > the screen to lock.
> > > 6. Nothing happens - no screen lock.
> > > 7. So with smartcard still removed I lock the screen manually (with
> > > CTRL-ALT-DEL)
> > > 8. I then insert the smartcard and our screen unlock routine kicks off
> > > - as expected
> > > 9. After authenticating (with the smartcard) I arrive back at the
> > > desktop
> > > 10. I now remove the card again BUT this time it locks (where as at
> > > step 6. above it previously did nothing).
> > >
> > > So my question is, why is my gina hook only notified of smartcard
> > > removals after I've done a screen lock?
> > >
> > > Some info:
> > > - To make sure that the WlxSetOption is done as late as possible (so
> > > that no other msgina calls override it - I do it in my
> > > WlxActivateUserShell() after calling the windows version.
> > > - I have a messagebox at the very start of WlxLoggedOnSAS(), but it
> > > never gets hit when the smartcard is removed (before the manual screen
> > > lock - when everything is working I see that messagebox as soon as I
> > > remove the card).
> > >
> > > I realise that there might be something that my code is doing in the
> > > screen unlock, but I haven't been able to find it. So if anyone at all
> > > can shed some light on this (even in a general sort of way) I'd very
> > > much appreciate it.
> > >
> > > Thanks,
> > > Ian.

Relevant Pages

  • Re: Smartcard removal not detected after login on Windows 2003 server
    ... But how come it works on Windows 2000 Server, ... I've found the code that we do at WlxLoggedOutSASto trick the GINA ... into thinking we're not logging in with smartcard. ... >> removals after I've done a screen lock? ...
    (microsoft.public.platformsdk.security)
  • Trigger a SmartCard Insertion Event by Software
    ... event so that GINA knows to display the GUI with the "enter pin" field. ... Since we try to develop a virtual smartcard system, it would be nice to know ... if it's possible to send a Message to Windows that a smartcard ...
    (microsoft.public.platformsdk.security)
  • Re: How to block system copy commands at driver level
    ... unless we know how Windows works with these events at low level. ... Store those keys on a SmartCard ... protected with the public key used to encrypt them before they are added. ... requirements dose says that copy protection for basic copy commands ...
    (microsoft.public.development.device.drivers)
  • Re: How to block system copy commands at driver level
    ... And the answer is there are no basic copy commands. ... Windows 2k/XP/2k3 Filesystem and Driver Consulting ... Store those keys on a SmartCard ... protected with the public key used to encrypt them before they are added. ...
    (microsoft.public.development.device.drivers)
  • Re: VB:NET Anwendung schneller machen
    ... > Textdateien per Notifikation ab, wandelt die Texte um in XML, und dann in PDF. ... Die Smartcard liefert eine Signatur zurück. ... Je nach obiger PDF-Sache könnten da auch spezifische Probleme entstehen. ... ja, zB mit dem Windows Task-Manager sogar 'fix' auf eine bestimmte CPU, ...
    (microsoft.public.de.german.entwickler.dotnet.vb)