Re: Smart card logon & remote desktop
- From: Dimitri <Dimitri@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 22 Nov 2007 01:45:24 -0800
Thank you all for your answers
1. Well, I have a sample of the Gemalto CSP and some cards that they gave me
in the context of some other completely unrelated project, but I don't use it
(except for such tests), I never paid for it (and never will) and I don't
resell it (and never will). So I'm just absolutely not a customer. Anyway, it
was just an information I gave to demonstrate it appears with several CSPs,
including mine (which is the most important point). I can't bother someone to
help me fix a problem regarding my product if it competes with his product.
This is just not right.
2. Moreover, the problem really seems to come from the way Windows handles
the insertion/removal events (more precisely its whole smart card context,
which seems to become invalid after loggin in) within the logon process.
Whether it comes from the GINA part of this process or not is not relevant.
It anyway comes from a part of the system written by Microsoft. So I can at
least expect MS to have a look at the problem. This is part of the MSDN
program, am I wrong ?
3. I totally agree. I can't afford redeveloping a GINA.
To answer Brian: As suggested by Alun, my customer has not switched to Vista
yet (like most people). I, of course, can't force him to do it. And, as XP
and Win2K are still maintained by Microsoft (hopefully), I still think there
is some hope...
Dimitri
"S. Pidgorny <MVP>" wrote:
1. The issue you're describing is with Gemalto cards and their CSP too - so.
you are a customer and can ask;
2. Card removal/insertion detection is not a part of MS GINA - so there will
be no hotfix;
3. Forget writing your own GINA. Seriously.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
* http://sl.mvps.org * http://msmvps.com/blogs/sp *
"Dimitri" <Dimitri@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1590DE6D-C570-4C7C-B149-382990A2A128@xxxxxxxxxxxxxxxx
Thanks Brian,
However, I can't really ask gemalto for some help. I'm a [very very small]
competitor, not a customer.
I use the standard windows GINA, not a custom one. I guess that developing
a
specific GINA would certainly solve the problem. But - as far as I could
investigate - I see this issue as (maybe) a bug in the Microsoft GINA, so
I'd
rather have Microsoft publish a hotfix than re-developing it myself. But I
could also be wrong...
Anybody from Microsoft, please help...
Dimitri
"Brian Komar" wrote:
Send details of the issue to hotline@xxxxxxxxxxx
They may be able to help you.
I have seen this issue with many legacy CSPs.
Are you using a custom GINA by any chance?
Brian
"Dimitri" <Dimitri@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4749B770-72FA-4FBE-B3DC-B5A66A1600D2@xxxxxxxxxxxxxxxx
Dear all,
I have a problem using smart card logon through a remote desktop
connection.
I can successfully login using my smart card, but when I remove the
card,
the
station does not become locked whatever the state of the "smart card
behavior" option (note that it successfully locks the station when I
logon
on
the computer locally). Removing the card has just no effect.
Then, if I try to lock the station manually, I immediately see the PIN
dialog (without going through the "windows security" dialog), but:
- when I try to enter the PIN, it fails to unlock the station (a
generic
error message is shown).
- when I click "cancel", I have to unlock the station maually using
login+password because the GINA is not responsive to smart card events
anymore.
This appears with both a custom CSP of mine and with the ACS (Axalto)
CSP.
However, I have a test environment (domain controller + remote station
+
remote client) on which it appears all the time (it worked only once, I
don't
know why) and another environment where it does not seem to appear.
Unfortunately, my client is facing the same problem in his environment.
I tried to analyse the problem deeper and it seems the logon process
does
not receive anymore smart card events simply because it does not manage
to
get a valid smart card context. My CSP is called when I try to enter
the
PIN
to unlock the station and I could see that it does not manage to call
SCardAcquireContext successfully (althrough it manage to do so for
logging
on). However, once the station is unlocked, all applications manage to
get
and use smart card contexts successfully.
I have seen two KB articles 875506 and 910482 that discuss similar
problems
but installing these hotfixes did not solve anything.
Note: this message was previously posted on platformsdk.security with
no
answer.
Thanks
- Follow-Ups:
- Re: Smart card logon & remote desktop
- From: Alun Jones
- Re: Smart card logon & remote desktop
- References:
- Smart card logon & remote desktop
- From: Dimitri
- Re: Smart card logon & remote desktop
- From: Brian Komar
- Re: Smart card logon & remote desktop
- From: Dimitri
- Smart card logon & remote desktop
- Prev by Date: Re: windows firewall off by default
- Next by Date: Re: Cipher Strength
- Previous by thread: Re: Smart card logon & remote desktop
- Next by thread: Re: Smart card logon & remote desktop
- Index(es):
Relevant Pages
|
