Starting Windows SmartCard kerberos logon without reinserting the SC

Igor.Jovanovski_at_gmail.com
Date: 04/29/05


Date: 29 Apr 2005 05:08:33 -0700

Hi,

Microsoft SmartCard Kerberos logon works or is triggered only when the
SmartCard is explicitly inserted in the SmartCard reader.
In our custom GINA we want to start this process right after the
restart when the GINA welcome screen appears and the card has been
already present in the reader.
Therefore in our custom GINA we post a WLX_SAS_TYPE_SC_INSERT message
to Winlgon to notify (or simulate) if we detect that a card is present
in the reader so that we start the Kerberos logon without the user
needing to phisicly reinsert the card. (Just as an info, during this
logon there is also our implementation of PIN posting to the MS GINA
PIN dialog.) If the Windows SC logon is being kicked off like that then
it fails. If it is being started by normal smartcard insertion (so the
WLX_SAS_TYPE_SC_INSERT is generated by normal way) than it works ok.
Currently we post a WLX_SAS_TYPE_SC_INSERT message from a thread
started in WlxDisplaySASNotice.
This triggers the WlxLoggedOutSAS. (just as an info, If we call here,
in WlxLoggedOutSAS, the function WlxGetOption(hGlobalWlx,
WLX_OPTION_SMART_CARD_INFO.. the returned structure is empty i.e. no
Card/Reader/Container/CryptoProvider data). Forwarding the
WlxLoggedOutSAS call then to the msgina.dll failes. Our assumption is
that in order for the Windows SC logon to succeed the
WLX_SAS_TYPE_SC_INSERT must originate from winlogon itself and not be
"artificialy" posted.
So the question would be: is there a way to start the Windows SC
Kerberos logon with a custom cascading GINA when a SC is already
present in the SC reader (without explicitly inserting the SmartCrad)?
Any light on this topic would be very appreciated.

Igor Jovanovski