Starting Windows SmartCard kerberos logon without reinserting the SC

Igor.Jovanovski_at_gmail.com
Date: 04/29/05


Date: 29 Apr 2005 05:08:33 -0700

Hi,

Microsoft SmartCard Kerberos logon works or is triggered only when the
SmartCard is explicitly inserted in the SmartCard reader.
In our custom GINA we want to start this process right after the
restart when the GINA welcome screen appears and the card has been
already present in the reader.
Therefore in our custom GINA we post a WLX_SAS_TYPE_SC_INSERT message
to Winlgon to notify (or simulate) if we detect that a card is present
in the reader so that we start the Kerberos logon without the user
needing to phisicly reinsert the card. (Just as an info, during this
logon there is also our implementation of PIN posting to the MS GINA
PIN dialog.) If the Windows SC logon is being kicked off like that then
it fails. If it is being started by normal smartcard insertion (so the
WLX_SAS_TYPE_SC_INSERT is generated by normal way) than it works ok.
Currently we post a WLX_SAS_TYPE_SC_INSERT message from a thread
started in WlxDisplaySASNotice.
This triggers the WlxLoggedOutSAS. (just as an info, If we call here,
in WlxLoggedOutSAS, the function WlxGetOption(hGlobalWlx,
WLX_OPTION_SMART_CARD_INFO.. the returned structure is empty i.e. no
Card/Reader/Container/CryptoProvider data). Forwarding the
WlxLoggedOutSAS call then to the msgina.dll failes. Our assumption is
that in order for the Windows SC logon to succeed the
WLX_SAS_TYPE_SC_INSERT must originate from winlogon itself and not be
"artificialy" posted.
So the question would be: is there a way to start the Windows SC
Kerberos logon with a custom cascading GINA when a SC is already
present in the SC reader (without explicitly inserting the SmartCrad)?
Any light on this topic would be very appreciated.

Igor Jovanovski



Relevant Pages

  • Re: Winlogon.exe and syskey
    ... This UI is not handled by GINA. ... This posting is provided "AS IS" with no warranties, ... > some other info which is then stored on smartcard. ... > I'm aware of the option that syskey has for me to store the obfuscated ...
    (microsoft.public.platformsdk.security)
  • Re: Smartcard removal not detected after login on Windows 2003 server
    ... winlogon generates these SAS messages based on its smartcard monitoring ... It uses the published smartcard APIs that are processed by the SC resource ... > WLX_SAS_TYPE_SC_REMOVE through the GINA. ... >> Eric Perlin ...
    (microsoft.public.platformsdk.security)
  • Gina switches to desktop by passing unlock
    ... I wrote a GINA replacement that uses smartcard. ... I make sure i send it from the thread WInlogon called ... Why did WlxLoggedOnSas is called ?the user is not logged in yet. ...
    (microsoft.public.platformsdk.security)
  • Re: Smartcard removal not detected after login on Windows 2003 server
    ... > intention was that only the removal of the card used for logon should). ... >> I've found the code that we do at WlxLoggedOutSASto trick the GINA ... >> into thinking we're not logging in with smartcard. ... >> password control, ...
    (microsoft.public.platformsdk.security)