Re: Smart card logon & remote desktop

---

• From: "Brian Komar" <brian.komar@xxxxxxxxxxxxxxxxx>
• Date: Tue, 20 Nov 2007 04:48:54 -0600

---

To backup Svyatoslav, Gina is dead, long live the credential provider
Brian

"S. Pidgorny <MVP>" <slavickp@xxxxxxxxx> wrote in message news:uH1B5v0KIHA.5160@xxxxxxxxxxxxxxxxxxxxxxx

1. The issue you're describing is with Gemalto cards and their CSP too - so you are a customer and can ask;
2. Card removal/insertion detection is not a part of MS GINA - so there will be no hotfix;
3. Forget writing your own GINA. Seriously.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"Dimitri" <Dimitri@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:1590DE6D-C570-4C7C-B149-382990A2A128@xxxxxxxxxxxxxxxx

Thanks Brian,

However, I can't really ask gemalto for some help. I'm a [very very small]
competitor, not a customer.
I use the standard windows GINA, not a custom one. I guess that developing a
specific GINA would certainly solve the problem. But - as far as I could
investigate - I see this issue as (maybe) a bug in the Microsoft GINA, so I'd
rather have Microsoft publish a hotfix than re-developing it myself. But I
could also be wrong...

Anybody from Microsoft, please help...

Dimitri

"Brian Komar" wrote:

Send details of the issue to hotline@xxxxxxxxxxx
They may be able to help you.
I have seen this issue with many legacy CSPs.
Are you using a custom GINA by any chance?
Brian

"Dimitri" <Dimitri@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4749B770-72FA-4FBE-B3DC-B5A66A1600D2@xxxxxxxxxxxxxxxx
> Dear all,
>
> I have a problem using smart card logon through a remote desktop
> connection.
> I can successfully login using my smart card, but when I remove the > card,
> the
> station does not become locked whatever the state of the "smart card
> behavior" option (note that it successfully locks the station when I > logon
> on
> the computer locally). Removing the card has just no effect.
>
> Then, if I try to lock the station manually, I immediately see the PIN
> dialog (without going through the "windows security" dialog), but:
> - when I try to enter the PIN, it fails to unlock the station (a > generic
> error message is shown).
> - when I click "cancel", I have to unlock the station maually using
> login+password because the GINA is not responsive to smart card events
> anymore.
>
> This appears with both a custom CSP of mine and with the ACS (Axalto) > CSP.
> However, I have a test environment (domain controller + remote station > +
> remote client) on which it appears all the time (it worked only once, > I
> don't
> know why) and another environment where it does not seem to appear.
> Unfortunately, my client is facing the same problem in his > environment.
>
> I tried to analyse the problem deeper and it seems the logon process > does
> not receive anymore smart card events simply because it does not > manage to
> get a valid smart card context. My CSP is called when I try to enter > the
> PIN
> to unlock the station and I could see that it does not manage to call
> SCardAcquireContext successfully (althrough it manage to do so for > logging
> on). However, once the station is unlocked, all applications manage to > get
> and use smart card contexts successfully.
>
> I have seen two KB articles 875506 and 910482 that discuss similar
> problems
> but installing these hotfixes did not solve anything.
>
> Note: this message was previously posted on platformsdk.security with > no
> answer.
>
> Thanks
>

.

---

• Follow-Ups:
  • Re: Smart card logon & remote desktop
    • From: Alun Jones

• References:
  • Smart card logon & remote desktop
    • From: Dimitri
  • Re: Smart card logon & remote desktop
    • From: Brian Komar
  • Re: Smart card logon & remote desktop
    • From: Dimitri

• Prev by Date: Re: security of stored passwords, especially in IE
• Next by Date: Concern about Outlook S/Mime encryption and smartcards
• Previous by thread: Re: Smart card logon & remote desktop
• Next by thread: Re: Smart card logon & remote desktop
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Smart card logon & remote desktop ... I have a sample of the Gemalto CSP and some cards that they gave me ... Whether it comes from the GINA part of this process or not is not relevant. ... Card removal/insertion detection is not a part of MS GINA - so there will ... station does not become locked whatever the state of the "smart card ... (microsoft.public.security) Re: PKCS11 - Device error when getting token info ... > in the existing MS GINA. ... It has to support smart card logon. ... And check if Smart Card Resource Manager is tunning before you load P11.dll ... (microsoft.public.platformsdk.security) Using Ginastub orginal Gina Dialog not accepting Smartcard PIN ... I'm using the gina ... login complete) to a windows service. ... detect the card insertion on winxp SP2. ... I then enter my cards Pin. ... (microsoft.public.platformsdk.security) Re: Smartcard removal not detected after login on Windows 2003 server ... WLX_SAS_TYPE_SC_REMOVE through the GINA. ... Can we monitor smartcard removal in a service - and thereby not worry ... So is the smart card manager doing the monitoring? ... >> password control, ... (microsoft.public.platformsdk.security) Re: Smart card logon & remote desktop ... I use the standard windows GINA, not a custom one. ... I can successfully login using my smart card, but when I remove the card, ... behavior" option (note that it successfully locks the station when I logon ... (microsoft.public.security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.security  > 2007-11