Re: Smart card logon & remote desktop

For much of the world, universal adoption of Windows Vista and Windows
Server 2008 is still a few years off.

I am aware of numerous companies still running Windows Server 2000 - so any
solution that applies to Windows Server 2003 will probably still sell for
another three or four years at least.

However, I am with Slav in suggesting that writing your own GINA is
something that you should do only if you _know_ that there is no way to
achieve what you are looking to do outside of altering the GINA.

The OP should open a support case with Microsoft. This is surely worth it to
him and his company.

Alun.
~~~~

"Brian Komar" <brian.komar@xxxxxxxxxxxxxxxxx> wrote in message
news:D5AFA431-B5E8-4E56-84E7-071174CF171A@xxxxxxxxxxxxxxxx
To backup Svyatoslav, Gina is dead, long live the credential provider
Brian

"S. Pidgorny <MVP>" <slavickp@xxxxxxxxx> wrote in message
news:uH1B5v0KIHA.5160@xxxxxxxxxxxxxxxxxxxxxxx
1. The issue you're describing is with Gemalto cards and their CSP too -
so you are a customer and can ask;
2. Card removal/insertion detection is not a part of MS GINA - so there
will be no hotfix;
3. Forget writing your own GINA. Seriously.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"Dimitri" <Dimitri@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1590DE6D-C570-4C7C-B149-382990A2A128@xxxxxxxxxxxxxxxx
Thanks Brian,

However, I can't really ask gemalto for some help. I'm a [very very
small]
competitor, not a customer.
I use the standard windows GINA, not a custom one. I guess that
developing a
specific GINA would certainly solve the problem. But - as far as I could
investigate - I see this issue as (maybe) a bug in the Microsoft GINA,
so I'd
rather have Microsoft publish a hotfix than re-developing it myself. But
I
could also be wrong...

Anybody from Microsoft, please help...

Dimitri

"Brian Komar" wrote:

Send details of the issue to hotline@xxxxxxxxxxx
They may be able to help you.
I have seen this issue with many legacy CSPs.
Are you using a custom GINA by any chance?
Brian

"Dimitri" <Dimitri@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4749B770-72FA-4FBE-B3DC-B5A66A1600D2@xxxxxxxxxxxxxxxx
Dear all,

I have a problem using smart card logon through a remote desktop
connection.
I can successfully login using my smart card, but when I remove the
card,
the
station does not become locked whatever the state of the "smart card
behavior" option (note that it successfully locks the station when I
logon
on
the computer locally). Removing the card has just no effect.

Then, if I try to lock the station manually, I immediately see the
PIN
dialog (without going through the "windows security" dialog), but:
- when I try to enter the PIN, it fails to unlock the station (a
generic
error message is shown).
- when I click "cancel", I have to unlock the station maually using
login+password because the GINA is not responsive to smart card
events
anymore.

This appears with both a custom CSP of mine and with the ACS (Axalto)
CSP.
However, I have a test environment (domain controller + remote
station +
remote client) on which it appears all the time (it worked only once,
I
don't
know why) and another environment where it does not seem to appear.
Unfortunately, my client is facing the same problem in his
environment.

I tried to analyse the problem deeper and it seems the logon process
does
not receive anymore smart card events simply because it does not
manage to
get a valid smart card context. My CSP is called when I try to enter
the
PIN
to unlock the station and I could see that it does not manage to call
SCardAcquireContext successfully (althrough it manage to do so for
logging
on). However, once the station is unlocked, all applications manage
to get
and use smart card contexts successfully.

I have seen two KB articles 875506 and 910482 that discuss similar
problems
but installing these hotfixes did not solve anything.

Note: this message was previously posted on platformsdk.security with
no
answer.

Thanks







.

Relevant Pages

  • Re: Smart card logon & remote desktop
    ... I use the standard windows GINA, not a custom one. ... I can successfully login using my smart card, but when I remove the card, ... behavior" option (note that it successfully locks the station when I logon ...
    (microsoft.public.security)
  • Re: Hide Username when pc awakes
    ... system will begin to boot Windows XP Pro. ... There's an important element of security ... User IDs are never designed to be secret, ... Platform Software Development Kit that has GINA samples in it. ...
    (microsoft.public.windowsxp.security_admin)
  • RE: GINA - exception in winlogon
    ... When MS GINA is used directly the smart card logon ... Why in the first case does MS GINA know what is the Authentication Package, ...
    (microsoft.public.platformsdk.security)
  • Re: GINA logon w/ Logon Message Error
    ... I can do a search for any GINA ... nass Wrote: ... I have two windows that pop up.... ... DLL file and its not mentioning GINA now. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: GINA logon w/ Logon Message Error
    ... I can do a search for any GINA ... When I reboot my computer, I have two windows that pop up.... ... Error Message: Unable to Log You on Because of an Account ...
    (microsoft.public.windowsxp.help_and_support)