Re: EFS and Smart Card

From: David Cross [MS] (dcross_at_online.microsoft.com)
Date: 07/30/03


Date: Wed, 30 Jul 2003 05:22:31 -0700


Yes, this is one of the major reasons and there are about 12 others. please
take our word as authoritative on this subject. We would like to support
this functionality in the future.

http://www.microsoft.com/WindowsXP/pro/techinfo/administration/recovery/default.asp

-- 
David B. Cross [MS]
--
This posting is provided "AS IS" with no warranties, and confers no rights.
http://support.microsoft.com
"John Banes [MS]" <jbanes@online.microsoft.com> wrote in message
news:eTcc1GfVDHA.2288@TK2MSFTNGP12.phx.gbl...
> EFS is mostly implemented in the lsass.exe process, which doesn't directly
> have access to the user desktop. So when the smartcard CSP attempts to
> display its PIN dialog box, the calling thread hangs forever. So to
support
> smartcards, some extra code would need to be written to obtain the PIN
ahead
> of time and plumb it down to the lsass.exe process. There may be
additional
> reasons, but this is what comes to mind.
>
> Regards,
>
> John Banes
> [Microsoft Security Developer]
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> Please do not send email directly to this alias. This alias is for
newsgroup
> purposes only.
>
> "Ling Tang" <ltang7@hotmail.com> wrote in message
> news:OwFzorWVDHA.1316@TK2MSFTNGP12.phx.gbl...
> > Thanks David and again Mike. I noticed these questions have been
discussed
> > for several times, but since I still got different answer from different
> > parties. I guess properly because they quoted from different white
paper.
> >
> > I am still very curious why EFS does not support smart card. If I
replace
> > the default CSP (MS Base Cryptographic Provider) with my own smart card
> CSP
> > which implement according to the spec, I can't understand why this does
> not
> > work.
> >
> > Cheers,
> > Ling
> > "David Cross [MS]" <dcross@online.microsoft.com> wrote in message
> > news:eOfxOJQVDHA.2224@TK2MSFTNGP09.phx.gbl...
> > > I will try to get the windows 2000 paper corrected:  EFS does not
> support
> > > smartcards currently and will not work with smartcards in current
> versions
> > > of Windows.
> > >
> > > -- 
> > >
> > >
> > > David B. Cross [MS]
> > >
> > > --
> > > This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> > >
> > > http://support.microsoft.com
> > >
> > > "Miha Pihler" <miha.pihler@Atlantis-N0Spam.si> wrote in message
> > > news:%23VWRu5OVDHA.2004@TK2MSFTNGP10.phx.gbl...
> > > > Hi,
> > > >
> > > > this question has been asked quite a few times on last Tech-Ed in
> Dallas
> > > and
> > > > even before on one of T-Preps that I was attending. Answer was
always
> > no.
> > > I
> > > > am not sure why at this moment. I will have to check some of my
notes.
> > > >
> > > > File System. Here is
> > > >
> > >
> >
>
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winxppro/support/DataProt.asp
> > > > a white paper on Data Protection and Recovery on WinXP. Microsoft
here
> > > > states:
> > > > "Smart card-based certificates and keys are not currently supported
> with
> > > the
> > > > Encrypting"
> > > >
> > > > I am sorry I can't give more details at the moment, but I will look
> into
> > > > it...
> > > >
> > > > -- 
> > > > Mike
> > > > MCSA 2K, MCSE 2K, MCT, ...
> > > >
> > > > "Ling Tang" <ltang7@hotmail.com> wrote in message
> > > > news:u4cK7gOVDHA.2368@TK2MSFTNGP09.phx.gbl...
> > > > > Thanks Mike, but it is mention in the white paper from Microsoft
> that
> > > EFS
> > > > > does support smart card.
> > > > >
> > > > >
> > > >
> > >
> >
>
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/deploy/nt5efs.asp
> > > > >
> > > > > Besides, do you have any idea why it does not support smart cards.
> > From
> > > my
> > > > > limited knowledge, EFS always make use of CryptoAPI, so as long as
> the
> > > CSP
> > > > > support smart card, it should has no big difficulty in usage of
> smart
> > > card
> > > > > in EFS... please comment and elaborate.
> > > > >
> > > > > Thanks,
> > > > > Ling
> > > > >
> > > > > "Miha Pihler" <miha.pihler@Atlantis-N0Spam.si> wrote in message
> > > > > news:uMjs$lNVDHA.1368@TK2MSFTNGP11.phx.gbl...
> > > > > > Hi Ling,
> > > > > >
> > > > > > it is not possible to use EFS with Smart Cards... Microsoft was
> > > thinking
> > > > > > about this for Windows 2003 server, but it is still not
supported
> > and
> > > it
> > > > > > will not work...
> > > > > >
> > > > > > -- 
> > > > > > Mike
> > > > > > MCSA 2K, MCSE 2K, MCT, ...
> > > > > >
> > > > > > "Ling Tang" <ltang7@hotmail.com> wrote in message
> > > > > > news:%23Sh5PYNVDHA.2104@TK2MSFTNGP10.phx.gbl...
> > > > > > > I found different comment on support of smart card or other
> > hardware
> > > > > token
> > > > > > > in Encrypting File System (EFS). May be they are referring to
> > > > different
> > > > > > > version of windows or based on some assumption. May I be
excused
> > to
> > > > ask
> > > > > > the
> > > > > > > same question again. And I would appreciate if you can provide
> > > > pointers
> > > > > of
> > > > > > > information on your comment about whether EFS supports usage
of
> > > smart
> > > > > > card.
> > > > > > > I know a few article that have high level description on
whether
> > EFS
> > > > can
> > > > > > > support hardware token, but it is not detail or technical
> enough.
> > It
> > > > > will
> > > > > > be
> > > > > > > grateful if you have pointers to some really technical
articles
> > > about
> > > > > EFS
> > > > > > > with smart card.
> > > > > > >
> > > > > > > Thanks,
> > > > > > > Ling
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>


Relevant Pages

  • Re: EFS and Smart Card
    ... We would like to support ... So when the smartcard CSP attempts to ... > smartcards, some extra code would need to be written to obtain the PIN ... >> I am still very curious why EFS does not support smart card. ...
    (microsoft.public.security)
  • Re: EFS and Smart Card
    ... We would like to support ... So when the smartcard CSP attempts to ... > smartcards, some extra code would need to be written to obtain the PIN ... >> I am still very curious why EFS does not support smart card. ...
    (microsoft.public.win2000.security)
  • Re: EFS and Smart Card
    ... EFS is mostly implemented in the lsass.exe process, ... So when the smartcard CSP attempts to ... smartcards, some extra code would need to be written to obtain the PIN ahead ... > I am still very curious why EFS does not support smart card. ...
    (microsoft.public.security)
  • Re: EFS and Smart Card
    ... EFS is mostly implemented in the lsass.exe process, ... So when the smartcard CSP attempts to ... smartcards, some extra code would need to be written to obtain the PIN ahead ... > I am still very curious why EFS does not support smart card. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: EFS and Smart Card
    ... EFS is mostly implemented in the lsass.exe process, ... So when the smartcard CSP attempts to ... smartcards, some extra code would need to be written to obtain the PIN ahead ... > I am still very curious why EFS does not support smart card. ...
    (microsoft.public.win2000.security)