Re: Smart card logon & remote desktop

Send details of the issue to hotline@xxxxxxxxxxx
They may be able to help you.
I have seen this issue with many legacy CSPs.
Are you using a custom GINA by any chance?
Brian

"Dimitri" <Dimitri@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:4749B770-72FA-4FBE-B3DC-B5A66A1600D2@xxxxxxxxxxxxxxxx
Dear all,

I have a problem using smart card logon through a remote desktop connection.
I can successfully login using my smart card, but when I remove the card, the
station does not become locked whatever the state of the "smart card
behavior" option (note that it successfully locks the station when I logon on
the computer locally). Removing the card has just no effect.

Then, if I try to lock the station manually, I immediately see the PIN
dialog (without going through the "windows security" dialog), but:
- when I try to enter the PIN, it fails to unlock the station (a generic
error message is shown).
- when I click "cancel", I have to unlock the station maually using
login+password because the GINA is not responsive to smart card events
anymore.

This appears with both a custom CSP of mine and with the ACS (Axalto) CSP.
However, I have a test environment (domain controller + remote station +
remote client) on which it appears all the time (it worked only once, I don't
know why) and another environment where it does not seem to appear.
Unfortunately, my client is facing the same problem in his environment.

I tried to analyse the problem deeper and it seems the logon process does
not receive anymore smart card events simply because it does not manage to
get a valid smart card context. My CSP is called when I try to enter the PIN
to unlock the station and I could see that it does not manage to call
SCardAcquireContext successfully (althrough it manage to do so for logging
on). However, once the station is unlocked, all applications manage to get
and use smart card contexts successfully.

I have seen two KB articles 875506 and 910482 that discuss similar problems
but installing these hotfixes did not solve anything.

Note: this message was previously posted on platformsdk.security with no
answer.

Thanks


.

Relevant Pages

  • Smart card logon & remote desktop
    ... I have a problem using smart card logon through a remote desktop connection. ... behavior" option (note that it successfully locks the station when I logon on ... - when I try to enter the PIN, it fails to unlock the station (a generic ...
    (microsoft.public.security)
  • Re: CAs Key on Smart Card Problem
    ... As far as I know Microsoft is using HSMs for storing the root CA keys. ... advanced CSP may indeed be required. ... >> store the CA's private Key on a Smart Card. ...
    (microsoft.public.windows.server.security)
  • Re: windows programming cryptography(problem in implementing a Sma
    ... Normally your smart card should have on-board key pair generation, ... First,I should include it’s header file in CSP code as below: ... HCRYPTPROV and remember that it refers to your CSP and to the ...
    (microsoft.public.platformsdk.security)
  • Re: Smart card logon & remote desktop
    ... I use the standard windows GINA, not a custom one. ... I can successfully login using my smart card, but when I remove the card, ... behavior" option (note that it successfully locks the station when I logon ...
    (microsoft.public.security)
  • Re: Smart card CSP register into Win2000
    ... You can call of your CSP functions ... As a CSP developer, you'll need to understand how to communicate with the ... smart card in order to provide the proper smart card CryptoAPI interface ...
    (microsoft.public.platformsdk.security)