Smartcard Issue in 2003? : Problem Solved

• Previous message: Petar Popara: "Re: CryptImportKey() & CryptExportPublicKeyInfo()"
• Next in thread: David Cross [MS]: "Re: Smartcard Issue in 2003? : Problem Solved"
• Reply: David Cross [MS]: "Re: Smartcard Issue in 2003? : Problem Solved"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 20 Apr 2005 02:05:03 -0700

Start reading from below, this is cut'n paste from an old thread which was
not solved at that time.

If someone from Microsoft is reading this, I am hoping that someone will
update the CSP developer guides with this relevant information.

---------------------------------------------

SOLUTION TO PROBLEM 1: When we use the webpages certsces.asp, our CSP is not
selectable

In order for the CSP to appear in the list of possible CSP's for smart card
logon, you have to make sure that the IMP_TYPE returned from GetProvParams is
set to CRYPT_IMPL_REMOVABLE | CRYPT_IMPL_MIXED. This was a tricky one, since
this was not documented in the CSP guides from Microsoft. (what is mixed by
the way?)

SOLUTION TO PROBLEM 2: When we create new smartcard templates, and add them
to the CA, these templates are also not selectable through certsces.asp

There are two not so obvious requirements here.

First, Microsoft decided that we have to buy the Enterprise lisence in order
to use custom templates. Thus, in order to have new templates to be selecable
in the certces.asp you should first make sure that your servers (CA and
Domain Controller) are running the Enterprise version of Windows Server 2003.

Second, the certces.asp requires one enrollment certificate for
authorisation. You can do this by clicking the Issuance Requirements tab in
the certificate template, and then make sure that the this number of
authorized signatures check box is selected and that the value is set to 1.

-----------------------------------------

OK, i will try to explain it one more time......

1. we have created our own smartcard
2. we have created our own smartcard CSP (cryptographic service provider)
3. we have successfully enrolled several smartcard templates
4. we have successfully enrolled with both the web pages and the mmc
certificates snap-in
5. our CSP and smartcard is working properly

but, our problem is...

1. When we use the webpages certsces.asp, our CSP is not selectable
2. When we create new smartcard templates, and add them to the CA, these
templates are also not selectable through certsces.asp

I have the following questions:

1. How can we get the newly created smartcard templates to be selectable in
the certsces.asp web page?
2. How can we our custom smartcard CSP to be selectable in the certsces.asp
web page?
3. Is there another way for the administrator to issue a certificate on
behalf of another user?

"David Cross [MS]" <dcross@online.microsoft.com> wrote in message
news:ekadW0muDHA.2060@TK2MSFTNGP10.phx.gbl...
  OK - I sm slightly confused on exactly what is failing. smartcard
enrollment station (web pages)?

  what are you using as a client? is the web server running on the CA?

  are you using the enrollment agent cert on a smartcard? I assume the
client has two readers installed?

  --

  David B. Cross [MS]

  --
  This posting is provided "AS IS" with no warranties, and confers no rights.

  http://support.microsoft.com

    "Kaare Langedrag" <kare.langedrag@ergo.no> wrote in message
news:O6bep3juDHA.1340@TK2MSFTNGP09.phx.gbl...
    Yes, I have done both, and it is possible to enroll through the MMC
template for the current user. We had a problem issuing our templates because
we used 2003 Standard in stead of 2003 Enterprise. With a 2003 Enterprise as
an issuing CA we can now issue our templates, BUT wi still have got the same
problem....

    Our problem is to let Administrator issue a smartcard behalf of another
user. We want the Administrator user (or another user we give the priveleges
to issue smartcards) to issue smartcards. We do not want to give users a
password and let them issue their own cards.

    "David Cross [MS]" <dcross@online.microsoft.com> wrote in message
news:e4WfeBeuDHA.3496@TK2MSFTNGP11.phx.gbl...
> 1. Have you tried to enroll through the certificates MMC snap-in on the
> client as an alternate test?
>
> 2. have you added the updated template to the CA using the CA snap-in?
>
> you should be able to add any CSP you want as long as it is valid for the
> key purpose in the template...
>
>
> --
> David B. Cross [MS]
>
> --
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> http://support.microsoft.com
>
> "Kaare Langedrag" <kare.langedrag@ergo.no> wrote in message
> news:uaru%230buDHA.1996@TK2MSFTNGP12.phx.gbl...
> > > 1. is the CSP installed on the web server? it must for the drop down
> > list
> > > to contain your CSP
> >
> > Yes, the CSP is installed on the webserver (same server as our issuing
> CA).
> > It seems like it is the scripts in certsces.asp does not list new
> smartcard
> > templates, neither new CSP's! Does this mean we are unable to issue
> > certificates if we do not use cards from the three "hardcoded" CSP's from
> > the smartcarduser template?! Might it be that SCrdEnr.enumCSPName does not
> > return our CSP name?
> >
> > Is there another way for the administrator to issue user certificates?
> What
> > is the procedure to set up a computer to automatically ask for a smartcard
> > when you create a user? I have done that some month ago, but i do not
> > remember the procedure to do it :-)
> >
> > > 2. the web enrollment agent is the enrollment agent template, not the
> > > smartcard template
> >
> > What I ment; which of the smartcard templates will become available in the
> > smartcard enrollment asp scripts (i.a. certsces.asp). As far as i can see,
> > none of them will be available unfortunately.
> > > 3. the template snap-in is global for the entire forest
> >
> > OK, thanx.
> >
> > > 4. when you configure the CA using the CA snap-in, you add the exact
> > > template(s) you wish the CA to issue, so I don't understand your
> question.
> > > are you actually adding the templates to the CA or are you only creating
> > > them in the templates snap in?
> > >
> > >
> > > --
> > >
> > >
> > > David B. Cross [MS]
> > >
> > > --
> > > This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> > >
> > > http://support.microsoft.com
> > >
> > > "Kaare Langedrag" <kare.langedrag@ergo.no> wrote in message
> > > news:%23RB71eYuDHA.620@TK2MSFTNGP10.phx.gbl...
> > > > Sorry for all my questions, but i have really problems with
> > understanding
> > > > all the "undocumented implicit actions" taken when changing the
> > > certificate
> > > > templates.
> > > >
> > > > 1) I have allready done this, but it does not seem to work this way. I
> > > have
> > > > made a copy of the smartcarduser and smartcardlogon certificates, and
> i
> > > have
> > > > tried both adding our CSP to the template and selecting the "any CSP
> > > > available" option. Even if configure the templates not to use gemplus,
> > > > schlumberger and infineon, it does not change the content of the
> > dropdown
> > > > box.Why is this happening? I know there has been a wast amount of
> delay
> > > > issues in the 2000/2003 server configs (you should really point this
> out
> > > in
> > > > dialog boxes), can this be the reason?
> > > >
> > > > 2) If i create two or more copies of the smartcarduser template, how
> do
> > i
> > > > know which of the templates are used for the web enrollment agent?
> > > >
> > > > 3) When we have multiple CA's, and start the template snap-in from an
> > > > arbitrary computer, for which CA is the template editor active?
> > > >
> > > > 4) When I configure a CA to issue a new certificate type (template),
> how
> > > do
> > > > i know which of the copied templates i actually do add? Are you sure
> it
> > > does
> > > > not allways add the default grayed out templates after all?
> > > >
> > > > (as far as i have seen, the default, grayed out template are allways
> > used
> > > > anyway, and only the three default smartcard csp's can be choosen,
> even
> > > > though the template says "any CSP")
> > > >
> > > >
> > > >
> > > > "David Cross [MS]" <dcross@online.microsoft.com> wrote in message
> > > > news:ODlJxgNuDHA.3468@TK2MSFTNGP11.phx.gbl...
> > > > > you need to add it to the list of CSPs on the version 2 template
> > before
> > > it
> > > > > will be listed. you must edit the version 2 template from a machine
> > > that
> > > > > has the CSP installed:
> > > > >
> > > > > Cert templates -
> > > > >
> > > >
> > >
> >
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/deploy/confeat/ws03crtm.asp
> > > > >
> > > > >
> > > > > --
> > > > >
> > > > >
> > > > > David B. Cross [MS]
> > > > >
> > > > > --
> > > > > This posting is provided "AS IS" with no warranties, and confers no
> > > > rights.
> > > > >
> > > > > http://support.microsoft.com
> > > > >
> > > > > "Kaare Langedrag" <kare.langedrag@ergo.no> wrote in message
> > > > > news:%230Q0OVMuDHA.3536@tk2msftngp13.phx.gbl...
> > > > > > Hi,
> > > > > >
> > > > > > We have developed our own smartcard CSP, and it seems to work
> > > perfectly
> > > > > > exept for this one case... Our CSP is installed on a subordinate
> > > > > enterprise
> > > > > > certificate authority. We have installed IIS with the certificate
> > > > services
> > > > > > asp pages on the same machine as well. Our problem is that when we
> > use
> > > > the
> > > > > > web based smartcard enrollment station in W2003, our CSP is not
> > > > selectable
> > > > > > in the list of CSP's (only Gemlus, Infinion and Schlumberger is on
> > the
> > > > > > list).
> > > > > >
> > > > > > How can we get our CSP listed in the dropdown box?
> > > > > >
> > > > > > (PS: there are no CSP restrictions set either on the template for
> > > > > smartcard
> > > > > > logon or smartcard user)
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

• Previous message: Petar Popara: "Re: CryptImportKey() & CryptExportPublicKeyInfo()"
• Next in thread: David Cross [MS]: "Re: Smartcard Issue in 2003? : Problem Solved"
• Reply: David Cross [MS]: "Re: Smartcard Issue in 2003? : Problem Solved"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]